x-twitter-scraper
Integrates with the X API for Twitter data extraction, enabling tweet searches, user lookups, and engagement metrics.
Install this skill
Security score
The x-twitter-scraper skill was audited on May 14, 2026 and we found 58 security issues across 4 threat categories, including 1 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 109 | const response = await fetch(`${BASE}${path}`, { |
Template literal with variable interpolation in command context
| 119 | throw new Error(`Xquik API ${response.status}: ${error.error}`); |
Template literal with variable interpolation in command context
| 145 | const data = await xquikFetch(`${path}?${params}`); |
Template literal with variable interpolation in command context
| 220 | job = await xquikFetch(`/extractions/${job.id}`); |
Template literal with variable interpolation in command context
| 228 | const path = `/extractions/${job.id}${cursor ? `?after=${cursor}` : ""}`; |
Template literal with variable interpolation in command context
| 238 | const exportUrl = `${BASE}/extractions/${job.id}/export?format=csv`; |
Template literal with variable interpolation in command context
| 250 | const user = await xquikFetch(`/x/users/${username}`); |
Template literal with variable interpolation in command context
| 259 | const tweets = await xquikFetch(`/x/tweets/search?q=from:${username}`); |
Template literal with variable interpolation in command context
| 345 | const details = await xquikFetch(`/draws/${draw.id}`); |
Template literal with variable interpolation in command context
| 355 | const exportUrl = `${BASE}/draws/${draw.id}/export?format=csv`; |
Fetch to external URL
| 191 | const estimate = await xquikFetch("/extractions/estimate", { |
Fetch to external URL
| 207 | const job = await xquikFetch("/extractions", { |
Fetch to external URL
| 253 | const postsJob = await xquikFetch("/extractions", { |
Fetch to external URL
| 263 | const estimate = await xquikFetch("/extractions/estimate", { |
Fetch to external URL
| 269 | const repliesJob = await xquikFetch("/extractions", { |
Fetch to external URL
| 278 | const trends = await xquikFetch("/trends?woeid=1"); |
Fetch to external URL
| 311 | const draw = await xquikFetch("/draws", { |
Fetch to external URL
| 425 | const monitor = await xquikFetch("/monitors", { |
Fetch to external URL
| 435 | const webhook = await xquikFetch("/webhooks", { |
Fetch to external URL
| 445 | const events = await xquikFetch("/events?monitorId=7&limit=50"); |
Webhook reference - potential data exfiltration
| 3 | description: "X API & Twitter scraper skill for AI coding agents. Builds integrations with the Xquik REST API, MCP server & webhooks: tweet search, user lookup, follower extraction, engagement metrics |
Webhook reference - potential data exfiltration
| 13 | Xquik is an X (Twitter) real-time data platform providing a REST API, HMAC webhooks, and an MCP server for AI agents. It covers account monitoring, bulk data extraction (20 tools), giveaway draws, twe |
Webhook reference - potential data exfiltration
| 53 | | **Receive events in real time** | `POST /webhooks` | HMAC-signed delivery to your HTTPS endpoint | |
Webhook reference - potential data exfiltration
| 54 | | **Update webhook** | `PATCH /webhooks/{id}` | Change URL, event types, or pause/resume | |
Webhook reference - potential data exfiltration
| 91 | | 400 | `invalid_input`, `invalid_id`, `invalid_params`, `invalid_tweet_url`, `invalid_tweet_id`, `invalid_username`, `invalid_tool_type`, `invalid_format`, `missing_query`, `missing_params`, `webhook |
Webhook reference - potential data exfiltration
| 358 | ## Webhook Event Handling |
Webhook reference - potential data exfiltration
| 360 | Webhooks deliver events to your HTTPS endpoint with HMAC-SHA256 signatures. Each delivery is a POST with `X-Xquik-Signature` header and JSON body containing `eventType`, `username`, and `data`. |
Webhook reference - potential data exfiltration
| 362 | ### Webhook Handler (Express) |
Webhook reference - potential data exfiltration
| 368 | const WEBHOOK_SECRET = process.env.XQUIK_WEBHOOK_SECRET; |
Webhook reference - potential data exfiltration
| 378 | app.post("/webhook", express.raw({ type: "application/json" }), (req, res) => { |
Webhook reference - potential data exfiltration
| 383 | if (!signature || !verifySignature(payload, signature, WEBHOOK_SECRET)) { |
Webhook reference - potential data exfiltration
| 407 | For Flask (Python) webhook handler, see [references/python-examples.md](references/python-examples.md#webhook-handler-flask). |
Webhook reference - potential data exfiltration
| 409 | Webhook security rules: |
Webhook reference - potential data exfiltration
| 414 | - Store webhook secret in environment variables, never hardcode |
Webhook reference - potential data exfiltration
| 417 | Check delivery status via `GET /webhooks/{id}/deliveries` to monitor successful and failed attempts. |
Webhook reference - potential data exfiltration
| 421 | Complete end-to-end: create monitor, register webhook, handle events. |
Webhook reference - potential data exfiltration
| 434 | // 2. Register webhook |
Webhook reference - potential data exfiltration
| 435 | const webhook = await xquikFetch("/webhooks", { |
Webhook reference - potential data exfiltration
| 438 | url: "https://your-server.com/webhook", |
Webhook reference - potential data exfiltration
| 442 | // IMPORTANT: Save webhook.secret. It is shown only once! |
Webhook reference - potential data exfiltration
| 444 | // 3. Poll events (alternative to webhooks) |
Webhook reference - potential data exfiltration
| 470 | | **Webhook/monitor update** | Full PATCH via `xquik` tool | PATCH endpoints | |
Webhook reference - potential data exfiltration
| 481 | - **Set up real-time alerts:** `monitors` (action=add) -> `webhooks` (action=add) -> `webhooks` (action=test) |
Webhook reference - potential data exfiltration
| 503 | - **Free**: account info, monitor/webhook management, radar, extraction history, cost estimates, tweet composition (compose, refine, score), style cache management (list, get, save, delete, compare), |
Webhook reference - potential data exfiltration
| 523 | - **`references/python-examples.md`**: Python equivalents of all JavaScript examples (retry, extraction, draw, webhook) |
Webhook reference - potential data exfiltration
| 524 | - **`references/webhooks.md`**: Extended webhook examples, local testing with ngrok, delivery status monitoring |
Ngrok tunnel reference
| 524 | - **`references/webhooks.md`**: Extended webhook examples, local testing with ngrok, delivery status monitoring |
Access to .env file
| 368 | const WEBHOOK_SECRET = process.env.XQUIK_WEBHOOK_SECRET; |
External URL reference
| 4 | compatibility: Requires internet access to call the Xquik REST API (https://xquik.com/api/v1) |
External URL reference
| 19 | | **Base URL** | `https://xquik.com/api/v1` | |
External URL reference
| 21 | | **MCP endpoint** | `https://xquik.com/mcp` (StreamableHTTP, same API key) | |
External URL reference
| 34 | const BASE = "https://xquik.com/api/v1"; |
External URL reference
| 294 | | `tweetUrl` | string | **Required.** Full tweet URL: `https://x.com/user/status/ID` | |
External URL reference
| 314 | tweetUrl: "https://x.com/burakbayir/status/1893456789012345678", |
External URL reference
| 330 | // tweetUrl: "https://x.com/burakbayir/status/1893456789012345678", |
External URL reference
| 438 | url: "https://your-server.com/webhook", |
External URL reference
| 453 | The MCP server at `https://xquik.com/mcp` uses a code-execution sandbox model with 2 tools (`explore` + `xquik`). The agent writes async JavaScript arrow functions that run in a sandboxed environment |
External URL reference
| 455 | **Legacy v1 server** at `https://xquik.com/mcp/v1` exposes 18 discrete tools with traditional input schemas. All new integrations should use the default v2 server at `/mcp`. |