x-twitter-scraper

This skill manifest documents an integration with the Xquik third-party X/Twitter data provider and requires an x-api-key. Functionality and requested permissions (API key, ability to write .mcp.json) are consistent with the claimed purpose. The primary security concerns are operational: storing long-lived API keys in plaintext config files (.mcp.json), centralizing sensitive data and streams at a third-party domain, and the capability to perform large bulk extractions and exports which could be abused if keys are leaked. There is no evidence in the provided document of obfuscated code, hidden download-and-execute instructions, credential-harvesting endpoints outside of the stated provider, or direct malicious payloads. Recommend: avoid committing API keys to repos, use short-lived credentials or environment-based secrets where possible, restrict extraction scopes, and validate the trustworthiness of xquik.com before provisioning keys.