x-twitter-scraper
Automates Twitter interactions and data extraction using the X API, enabling efficient account monitoring and engagement analysis.
Install this skill
Security score
The x-twitter-scraper skill was audited on May 14, 2026 and we found 59 security issues across 4 threat categories, including 1 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 119 | const response = await fetch(`${BASE}${path}`, { |
Template literal with variable interpolation in command context
| 129 | throw new Error(`Xquik API ${response.status}: ${error.error}`); |
Template literal with variable interpolation in command context
| 155 | const data = await xquikFetch(`${path}?${params}`); |
Template literal with variable interpolation in command context
| 230 | job = await xquikFetch(`/extractions/${job.id}`); |
Template literal with variable interpolation in command context
| 238 | const path = `/extractions/${job.id}${cursor ? `?after=${cursor}` : ""}`; |
Template literal with variable interpolation in command context
| 248 | const exportUrl = `${BASE}/extractions/${job.id}/export?format=csv`; |
Template literal with variable interpolation in command context
| 260 | const user = await xquikFetch(`/x/users/${username}`); |
Template literal with variable interpolation in command context
| 269 | const tweets = await xquikFetch(`/x/tweets/search?q=from:${username}`); |
Template literal with variable interpolation in command context
| 355 | const details = await xquikFetch(`/draws/${draw.id}`); |
Template literal with variable interpolation in command context
| 365 | const exportUrl = `${BASE}/draws/${draw.id}/export?format=csv`; |
Fetch to external URL
| 201 | const estimate = await xquikFetch("/extractions/estimate", { |
Fetch to external URL
| 217 | const job = await xquikFetch("/extractions", { |
Fetch to external URL
| 263 | const postsJob = await xquikFetch("/extractions", { |
Fetch to external URL
| 273 | const estimate = await xquikFetch("/extractions/estimate", { |
Fetch to external URL
| 279 | const repliesJob = await xquikFetch("/extractions", { |
Fetch to external URL
| 288 | const trends = await xquikFetch("/trends?woeid=1"); |
Fetch to external URL
| 321 | const draw = await xquikFetch("/draws", { |
Fetch to external URL
| 435 | const monitor = await xquikFetch("/monitors", { |
Fetch to external URL
| 445 | const webhook = await xquikFetch("/webhooks", { |
Fetch to external URL
| 455 | const events = await xquikFetch("/events?monitorId=7&limit=50"); |
Webhook reference - potential data exfiltration
| 3 | description: "X API & Twitter automation skill. Build integrations with the Xquik REST API, MCP server & webhooks: tweet search, user lookup, follower extraction, engagement metrics, giveaway draws, t |
Webhook reference - potential data exfiltration
| 10 | - Setting up account monitors or webhook event delivery |
Webhook reference - potential data exfiltration
| 21 | Xquik is an X (Twitter) real-time data platform providing a REST API, HMAC webhooks, and an MCP server for AI agents. It covers account monitoring, bulk data extraction (20 tools), giveaway draws, twe |
Webhook reference - potential data exfiltration
| 61 | | **Receive events in real time** | `POST /webhooks` | HMAC-signed delivery to your HTTPS endpoint | |
Webhook reference - potential data exfiltration
| 62 | | **Update webhook** | `PATCH /webhooks/{id}` | Change URL, event types, or pause/resume | |
Webhook reference - potential data exfiltration
| 101 | | 400 | `invalid_input`, `invalid_id`, `invalid_params`, `invalid_tweet_url`, `invalid_tweet_id`, `invalid_username`, `invalid_tool_type`, `invalid_format`, `invalid_json`, `missing_query`, `missing_p |
Webhook reference - potential data exfiltration
| 368 | ## Webhook Event Handling |
Webhook reference - potential data exfiltration
| 370 | Webhooks deliver events to your HTTPS endpoint with HMAC-SHA256 signatures. Each delivery is a POST with `X-Xquik-Signature` header and JSON body containing `eventType`, `username`, and `data`. |
Webhook reference - potential data exfiltration
| 372 | ### Webhook Handler (Express) |
Webhook reference - potential data exfiltration
| 378 | const WEBHOOK_SECRET = process.env.XQUIK_WEBHOOK_SECRET; |
Webhook reference - potential data exfiltration
| 388 | app.post("/webhook", express.raw({ type: "application/json" }), (req, res) => { |
Webhook reference - potential data exfiltration
| 393 | if (!signature || !verifySignature(payload, signature, WEBHOOK_SECRET)) { |
Webhook reference - potential data exfiltration
| 417 | For Flask (Python) webhook handler, see [references/python-examples.md](references/python-examples.md#webhook-handler-flask). |
Webhook reference - potential data exfiltration
| 419 | Webhook security rules: |
Webhook reference - potential data exfiltration
| 424 | - Store webhook secret in environment variables, never hardcode |
Webhook reference - potential data exfiltration
| 427 | Check delivery status via `GET /webhooks/{id}/deliveries` to monitor successful and failed attempts. |
Webhook reference - potential data exfiltration
| 431 | Complete end-to-end: create monitor, register webhook, handle events. |
Webhook reference - potential data exfiltration
| 444 | // 2. Register webhook |
Webhook reference - potential data exfiltration
| 445 | const webhook = await xquikFetch("/webhooks", { |
Webhook reference - potential data exfiltration
| 448 | url: "https://your-server.com/webhook", |
Webhook reference - potential data exfiltration
| 452 | // IMPORTANT: Save webhook.secret. It is shown only once! |
Webhook reference - potential data exfiltration
| 454 | // 3. Poll events (alternative to webhooks) |
Webhook reference - potential data exfiltration
| 480 | | **Webhook/monitor update** | Full PATCH via `xquik` tool | PATCH endpoints | |
Webhook reference - potential data exfiltration
| 491 | - **Set up real-time alerts:** `monitors` (action=add) -> `webhooks` (action=add) -> `webhooks` (action=test) |
Webhook reference - potential data exfiltration
| 514 | - **Free**: account info, monitor/webhook management, radar, extraction history, cost estimates, tweet composition (compose, refine, score), style cache management (list, get, save, delete, compare), |
Webhook reference - potential data exfiltration
| 534 | - **`references/python-examples.md`**: Python equivalents of all JavaScript examples (retry, extraction, draw, webhook) |
Webhook reference - potential data exfiltration
| 535 | - **`references/webhooks.md`**: Extended webhook examples, local testing with ngrok, delivery status monitoring |
Ngrok tunnel reference
| 535 | - **`references/webhooks.md`**: Extended webhook examples, local testing with ngrok, delivery status monitoring |
Access to .env file
| 378 | const WEBHOOK_SECRET = process.env.XQUIK_WEBHOOK_SECRET; |
External URL reference
| 4 | homepage: https://xquik.com |
External URL reference
| 27 | | **Base URL** | `https://xquik.com/api/v1` | |
External URL reference
| 29 | | **MCP endpoint** | `https://xquik.com/mcp` (StreamableHTTP, same API key) | |
External URL reference
| 42 | const BASE = "https://xquik.com/api/v1"; |
External URL reference
| 304 | | `tweetUrl` | string | **Required.** Full tweet URL: `https://x.com/user/status/ID` | |
External URL reference
| 324 | tweetUrl: "https://x.com/burakbayir/status/1893456789012345678", |
External URL reference
| 340 | // tweetUrl: "https://x.com/burakbayir/status/1893456789012345678", |
External URL reference
| 448 | url: "https://your-server.com/webhook", |
External URL reference
| 463 | The MCP server at `https://xquik.com/mcp` uses a code-execution sandbox model with 2 tools (`explore` + `xquik`). The agent writes async JavaScript arrow functions that run in a sandboxed environment |
External URL reference
| 465 | **Legacy v1 server** at `https://xquik.com/mcp/v1` exposes 18 discrete tools with traditional input schemas. All new integrations should use the default v2 server at `/mcp`. |