Safety Report

Xpoz Social Search

Name: Xpoz Social Search
Rating: 5 (6 reviews)
Author: atyachin

Search Twitter, Instagram, and Reddit posts in real time. Find social media mentions, track hashtags, discover influencers, and analyze engagement — 1.5B+ posts indexed. Social listening, brand monitoring, and competitor research made easy for AI agents.

1,676Downloads

7Installs

6Stars

9Versions

Search & Retrieval2,116 Video & Audio1,618 Monitoring & Logging1,579 Social Media1,367

Security Analysis

high confidence

Clean0.08 risk

The skill's requirements and runtime instructions line up with its stated purpose — it uses an mcporter CLI and an xpoz-setup OAuth flow to call Xpoz's backend — but you should verify the mcporter npm package and the xpoz-setup skill before installing.

Feb 12, 20262 files2 concerns

Purpose & Capabilitynote

The name/description (social search across Twitter/Instagram/Reddit) matches the runtime instructions: all calls are via an mcporter CLI to Xpoz MCP endpoints. Requiring a CLI (mcporter) and an OAuth setup skill (xpoz-setup) is reasonable. Minor inconsistency: the registry summary lists no required skills or network, while SKILL.md metadata declares a dependency on xpoz-setup and network mcp.xpoz.ai — functionally coherent but the registry metadata omission is a documentation mismatch.

Instruction Scopeok

SKILL.md only instructs the agent to invoke the mcporter CLI to call specific xpoz.* operations, poll operation status, and use CSV export for large results. It does not instruct reading unrelated local files, environment variables, or sending data to unknown endpoints beyond the declared mcp.xpoz.ai. The setup step defers OAuth to the xpoz-setup skill (browser or device code flow), which is appropriate for acquiring tokens.

Install Mechanismnote

Install is an npm package (mcporter) that creates the mcporter binary. npm installs are common but execute third-party code on the host — this is moderate risk (not an arbitrary URL download). Recommend verifying the mcporter package provenance (publisher, npm page, checksum) before installing.

Credentialsok

The skill itself requests no environment variables or local config paths. Authentication is delegated to the xpoz-setup skill via OAuth 2.1 (expected for a SaaS integration). There are no unexplained credentials requested here.

Persistence & Privilegeok

The skill is not always-enabled and does not request elevated or system-wide configuration changes. It relies on an external CLI and an auth setup skill; autonomous invocation is allowed by default but not combined with other red flags.

Guidance

This skill appears coherent with its description, but before installing: 1) Inspect the mcporter npm package (publisher, homepage, versions, download counts) — npm packages run code during install and provide the mcporter binary used at runtime. 2) Inspect the xpoz-setup skill because it handles OAuth and will obtain/store your access tokens; confirm where tokens are stored and what scopes are requested. 3) Confirm the network endpoint (mcp.xpoz.ai) is the official Xpoz service and review Xpoz's privacy/terms for data sent in queries/exports. 4) If you are cautious about autonomous agent actions, restrict the skill to user-invoked only or review agent policies, since the skill can make external network calls. If any of these provenance checks fail or are unclear, treat the install as higher risk.

Latest Release

v1.5.0

Trimmed SKILL.md to ~115 lines

More by @atyachin

Lead Generation

10 stars

Xpoz Setup

4 stars

Social Sentiment

4 stars

Instagram Search

3 stars

Social Intelligence

3 stars

Expert Finder

2 stars

Published by @atyachin on ClawHub