social-intelligence

[Skill Scanner] Natural language instruction to download and install from URL detected This skill manifest is coherent with its stated purpose and does not include obvious malware. However it routes all queries and credentials through the Xpoz-managed MCP backend (mcp.xpoz.ai) and requires installing additional components (mcporter, xpoz-setup). That centralization is the main supply-chain/privacy risk: the vendor gains access to all queries, results, and OAuth tokens. There are no hardcoded secrets or obfuscation in the manifest itself, but because the backend handles data and auth, use of this skill requires trusting Xpoz/ClawHub operators and their security practices. Treat this as potentially suspicious from a data-exposure and supply-chain perspective; benign in behavior but moderate trust required. LLM verification: This SKILL.md is functionally coherent with a hosted social intelligence product that proxies agent queries through a centralized MCP backend (Xpoz). I found no direct in-repo code that performs system-level malicious actions, obfuscated payloads, or hardcoded secrets in the supplied text. However, the architecture concentrates all queries, results, and CSV exports through a third-party MCP server (clawhub.ai / xpoz.ai) and advertises 'twitter-api-alternative' (API-free access), which increases