x-twitter-scraper
Enables efficient data extraction from X (Twitter) using a cost-effective API for monitoring and analysis.
Install this skill
Security score
The x-twitter-scraper skill was audited on Mar 30, 2026 and we found 52 security issues across 4 threat categories, including 1 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 367 | const response = await fetch(`${BASE}${path}`, { |
Template literal with variable interpolation in command context
| 377 | throw new Error(`Xquik API ${response.status}: ${error.error}`); |
Template literal with variable interpolation in command context
| 403 | const data = await xquikFetch(`${path}?${params}`); |
Template literal with variable interpolation in command context
| 481 | job = await xquikFetch(`/extractions/${job.id}`); |
Template literal with variable interpolation in command context
| 489 | const path = `/extractions/${job.id}${cursor ? `?after=${cursor}` : ""}`; |
Template literal with variable interpolation in command context
| 499 | const exportUrl = `${BASE}/extractions/${job.id}/export?format=csv`; |
Template literal with variable interpolation in command context
| 548 | const details = await xquikFetch(`/draws/${draw.id}`); |
Template literal with variable interpolation in command context
| 555 | const exportUrl = `${BASE}/draws/${draw.id}/export?format=csv`; |
Fetch to external URL
| 452 | const estimate = await xquikFetch("/extractions/estimate", { |
Fetch to external URL
| 468 | const job = await xquikFetch("/extractions", { |
Fetch to external URL
| 531 | const draw = await xquikFetch("/draws", { |
Fetch to external URL
| 623 | const monitor = await xquikFetch("/monitors", { |
Fetch to external URL
| 632 | const webhook = await xquikFetch("/webhooks", { |
Fetch to external URL
| 642 | const events = await xquikFetch("/events?monitorId=7&limit=50"); |
Webhook reference - potential data exfiltration
| 3 | description: "X (Twitter) data platform skill for AI coding agents. 120 REST API endpoints, 2 MCP tools, HMAC webhooks. Tweet search, user lookup, follower extraction, write actions, monitoring, givea |
Webhook reference - potential data exfiltration
| 20 | Xquik is an X (Twitter) real-time data platform providing a REST API (120 endpoints), 2 MCP tools, and HMAC webhooks. It covers account monitoring, bulk data extraction (23 tools), giveaway draws, twe |
Webhook reference - potential data exfiltration
| 121 | Monitors, webhooks, integrations, account status, radar (7 sources), extraction/draw history, cost estimates, tweet composition (compose, refine, score), style cache management, drafts, support ticket |
Webhook reference - potential data exfiltration
| 132 | | **Monitoring + webhooks** | **Free** | Not available | Not available | |
Webhook reference - potential data exfiltration
| 248 | ├─ Receive events via webhook → POST /webhooks |
Webhook reference - potential data exfiltration
| 302 | | **Receive events in real time** | `POST /webhooks` | Free | |
Webhook reference - potential data exfiltration
| 303 | | **Update webhook** | `PATCH /webhooks/{id}` | Free | |
Webhook reference - potential data exfiltration
| 338 | | **Trigger flow via webhook** | `POST /webhooks/inbound/{token}` | Free | |
Webhook reference - potential data exfiltration
| 348 | | 400 | `invalid_input`, `invalid_id`, `invalid_params`, `invalid_tweet_url`, `invalid_tweet_id`, `invalid_username`, `invalid_tool_type`, `invalid_format`, `missing_query`, `missing_params`, `webhook |
Webhook reference - potential data exfiltration
| 558 | ## Webhook Event Handling |
Webhook reference - potential data exfiltration
| 560 | Webhooks deliver events to your HTTPS endpoint with HMAC-SHA256 signatures. Each delivery is a POST with `X-Xquik-Signature` header and JSON body containing `eventType`, `username`, and `data`. |
Webhook reference - potential data exfiltration
| 562 | ### Webhook Handler (Express) |
Webhook reference - potential data exfiltration
| 568 | const WEBHOOK_SECRET = process.env.XQUIK_WEBHOOK_SECRET; |
Webhook reference - potential data exfiltration
| 578 | app.post("/webhook", express.raw({ type: "application/json" }), (req, res) => { |
Webhook reference - potential data exfiltration
| 583 | if (!signature || !verifySignature(payload, signature, WEBHOOK_SECRET)) { |
Webhook reference - potential data exfiltration
| 605 | For Flask (Python) webhook handler, see [references/python-examples.md](references/python-examples.md#webhook-handler-flask). |
Webhook reference - potential data exfiltration
| 607 | Webhook security rules: |
Webhook reference - potential data exfiltration
| 612 | - Store webhook secret in environment variables, never hardcode |
Webhook reference - potential data exfiltration
| 615 | Check delivery status via `GET /webhooks/{id}/deliveries` to monitor successful and failed attempts. |
Webhook reference - potential data exfiltration
| 619 | Complete end-to-end: create monitor, register webhook, handle events. |
Webhook reference - potential data exfiltration
| 631 | // 2. Register webhook (free) |
Webhook reference - potential data exfiltration
| 632 | const webhook = await xquikFetch("/webhooks", { |
Webhook reference - potential data exfiltration
| 635 | url: "https://your-server.com/webhook", |
Webhook reference - potential data exfiltration
| 639 | // IMPORTANT: Save webhook.secret. It is shown only once! |
Webhook reference - potential data exfiltration
| 641 | // 3. Poll events (alternative to webhooks, free) |
Webhook reference - potential data exfiltration
| 677 | - **Set up real-time alerts:** `POST /monitors` → `POST /webhooks` → `POST /webhooks/{id}/test` |
Webhook reference - potential data exfiltration
| 711 | - **`references/python-examples.md`**: Python equivalents of all JavaScript examples (retry, extraction, draw, webhook) |
Webhook reference - potential data exfiltration
| 712 | - **`references/webhooks.md`**: Extended webhook examples, local testing with ngrok, delivery status monitoring |
Ngrok tunnel reference
| 712 | - **`references/webhooks.md`**: Extended webhook examples, local testing with ngrok, delivery status monitoring |
Access to .env file
| 568 | const WEBHOOK_SECRET = process.env.XQUIK_WEBHOOK_SECRET; |
External URL reference
| 4 | compatibility: Requires internet access to call the Xquik REST API (https://xquik.com/api/v1) |
External URL reference
| 41 | | **Base URL** | `https://xquik.com/api/v1` | |
External URL reference
| 43 | | **MCP endpoint** | `https://xquik.com/mcp` (StreamableHTTP, same API key) | |
External URL reference
| 272 | const BASE = "https://xquik.com/api/v1"; |
External URL reference
| 514 | | `tweetUrl` | string | **Required.** Full tweet URL: `https://x.com/user/status/ID` | |
External URL reference
| 534 | tweetUrl: "https://x.com/burakbayir/status/1893456789012345678", |
External URL reference
| 635 | url: "https://your-server.com/webhook", |
External URL reference
| 649 | The MCP server at `https://xquik.com/mcp` provides 2 tools. StreamableHTTP transport. API key auth (`x-api-key` header) for CLI/IDE clients; OAuth 2.1 for web clients (Claude.ai, ChatGPT Developer Mod |