Stats
Actions
Tags
From xpoz
Monitors Twitter/X and Reddit for CVE mentions, zero-day chatter, breach reports, and emerging threats using Xpoz. Useful for early warning intelligence before formal advisories.
How this skill is triggered — by the user, by Claude, or both
Slash command
/xpoz:security-osintThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Monitor Twitter/X and Reddit for security-related discussions — CVE mentions, zero-day chatter, breach reports, exploit code sharing, and emerging threats. Provides early warning intelligence often 24-48 hours before formal advisories.
Monitor Twitter/X and Reddit for security-related discussions — CVE mentions, zero-day chatter, breach reports, exploit code sharing, and emerging threats. Provides early warning intelligence often 24-48 hours before formal advisories.
Activate when the user asks:
Before fetching data, ensure Xpoz access is configured. Follow these checks in order.
If you have MCP tools, try calling any Xpoz tool (e.g., checkAccessKeyStatus). If it works → skip to Step 1.
If you have the SDK, try:
from xpoz import XpozClient
client = XpozClient() # reads XPOZ_API_KEY env var
If this succeeds without error → skip to Step 1.
If neither works, you need to authenticate. Choose the path that fits your environment:
If mcporter is available:
mcporter call xpoz.checkAccessKeyStatus
If hasAccessKey: true → ready. If not:
mcporter config add xpoz https://mcp.xpoz.ai/mcp --auth oauth
Then authenticate — generate the OAuth URL and send it to the user:
Step 1: Generate authorization URL
import secrets, hashlib, base64, urllib.parse, json, urllib.request, os
verifier = secrets.token_urlsafe(64)
challenge = base64.urlsafe_b64encode(hashlib.sha256(verifier.encode()).digest()).rstrip(b'=').decode()
state = secrets.token_urlsafe(32)
# Dynamic client registration
reg_req = urllib.request.Request(
'https://mcp.xpoz.ai/oauth/register',
data=json.dumps({
'client_name': 'Agent Skills',
'redirect_uris': ['https://www.xpoz.ai/oauth/openclaw'],
'grant_types': ['authorization_code'],
'response_types': ['code'],
'token_endpoint_auth_method': 'none',
}).encode(),
headers={'Content-Type': 'application/json'},
)
reg_resp = json.loads(urllib.request.urlopen(reg_req).read())
params = urllib.parse.urlencode({
'response_type': 'code',
'client_id': reg_resp['client_id'],
'code_challenge': challenge,
'code_challenge_method': 'S256',
'redirect_uri': 'https://www.xpoz.ai/oauth/openclaw',
'state': state,
'scope': 'mcp:tools',
'resource': 'https://mcp.xpoz.ai/',
})
auth_url = 'https://mcp.xpoz.ai/oauth/authorize?' + params
# Save state for token exchange
os.makedirs(os.path.expanduser('~/.cache/xpoz-oauth'), exist_ok=True)
with open(os.path.expanduser('~/.cache/xpoz-oauth/state.json'), 'w') as f:
json.dump({'verifier': verifier, 'state': state, 'client_id': reg_resp['client_id'],
'redirect_uri': 'https://www.xpoz.ai/oauth/openclaw'}, f)
print(auth_url)
Step 2: Send the URL to the user
Tell them:
"I need to connect to Xpoz for social media data. Please open this link and sign in:
[auth_url]
After authorizing, you'll see a code. Paste it back to me here."
Step 3: WAIT for the user to reply with the code. Do not proceed until they respond.
Step 4: Exchange the code for a token
Once the user provides the code (either a raw code or a URL containing ?code=...), extract the code and exchange it:
import json, urllib.request, urllib.parse, subprocess, os
with open(os.path.expanduser('~/.cache/xpoz-oauth/state.json')) as f:
oauth = json.load(f)
code = "THE_CODE_FROM_USER" # Extract from user's reply
data = urllib.parse.urlencode({
'grant_type': 'authorization_code',
'code': code,
'redirect_uri': oauth['redirect_uri'],
'client_id': oauth['client_id'],
'code_verifier': oauth['verifier'],
}).encode()
req = urllib.request.Request(
'https://mcp.xpoz.ai/oauth/token',
data=data,
headers={'Content-Type': 'application/x-www-form-urlencoded'},
)
resp = json.loads(urllib.request.urlopen(req).read())
token = resp['access_token']
# Configure mcporter with the token (token is never printed)
subprocess.run(['mcporter', 'config', 'remove', 'xpoz'], capture_output=True)
subprocess.run(['mcporter', 'config', 'add', 'xpoz', 'https://mcp.xpoz.ai/mcp',
'--header', f'Authorization=Bearer {token}'], check=True)
# Clean up
os.remove(os.path.expanduser('~/.cache/xpoz-oauth/state.json'))
print("Xpoz configured successfully")
Step 5: Verify with mcporter call xpoz.checkAccessKeyStatus → should return hasAccessKey: true.
For Claude Code users without mcporter, add to ~/.claude.json:
{
"mcpServers": {
"xpoz": {
"url": "https://mcp.xpoz.ai/mcp",
"transport": "http-stream"
}
}
}
Claude Code handles OAuth automatically on first tool call — the user just needs to authorize in their browser when prompted.
Ask the user:
"I need a Xpoz API key to access social media data. Please go to https://xpoz.ai/get-token (it's free, no credit card needed) and paste the key back to me."
WAIT for the user to reply with the key. Then:
Python:
pip install xpoz
from xpoz import XpozClient
client = XpozClient("THE_KEY_FROM_USER")
TypeScript:
npm install @xpoz/xpoz
import { XpozClient } from "@xpoz/xpoz";
const client = new XpozClient({ apiKey: "THE_KEY_FROM_USER" });
await client.connect();
Or set the environment variable and use the default constructor:
export XPOZ_API_KEY=THE_KEY_FROM_USER
| Problem | Solution |
|---|---|
| MCP: "Unauthorized" | Re-run the OAuth flow above |
SDK: AuthenticationError | Verify key at xpoz.ai/settings |
| Token exchange fails | Ask user to re-authorize — codes are single-use |
Extract:
Build targeted queries:
For a specific CVE:
"CVE-2026-1234" OR "CVE202612345"
For a software vulnerability:
("[SOFTWARE]" AND ("vulnerability" OR "vuln" OR "exploit" OR "RCE" OR "zero-day" OR "0day" OR "CVE"))
For breach monitoring:
("[COMPANY]" AND ("breach" OR "hacked" OR "leak" OR "data leak" OR "compromised" OR "ransomware"))
For threat actor tracking:
("[THREAT ACTOR]" OR "[KNOWN ALIASES]") AND ("attack" OR "campaign" OR "APT" OR "malware")
Twitter (security researchers are very active here):
Call getTwitterPostsByKeywords:
query: "<security query>"
fields: ["id", "text", "authorUsername", "createdAtDate", "likeCount", "retweetCount", "impressionCount"]
startDate: "<7 days ago, YYYY-MM-DD>"
endDate: "<today, YYYY-MM-DD>"
language: "en"
Find security researchers discussing the topic:
Call getTwitterUsersByKeywords:
query: "<security query>"
fields: ["id", "username", "name", "description", "followersCount", "relevantTweetsCount", "relevantTweetsLikesSum", "verified"]
startDate: "<7 days ago>"
Reddit (r/netsec, r/cybersecurity, r/hacking, etc.):
Call getRedditPostsByKeywords:
query: "<security query>"
fields: ["id", "title", "text", "authorUsername", "createdAtDate", "score", "numComments", "subreddit", "url"]
startDate: "<7 days ago>"
CRITICAL: Poll checkOperationStatus with each operationId until "completed".
from xpoz import XpozClient
client = XpozClient()
cve_id = "CVE-2026-1234"
query = f'"{cve_id}"'
# Twitter - security researcher chatter
twitter_posts = client.twitter.search_posts(
query,
start_date="2026-02-16",
end_date="2026-02-23",
fields=["id", "text", "author_username", "created_at_date", "like_count", "retweet_count", "impression_count"]
)
# Find researchers discussing it
researchers = client.twitter.get_users_by_keywords(
query,
start_date="2026-02-16",
fields=["username", "name", "description", "followers_count", "relevant_tweets_count", "verified"]
)
# Reddit - deeper technical discussions
reddit_posts = client.reddit.search_posts(
query,
start_date="2026-02-16",
fields=["id", "title", "text", "author_username", "created_at_date", "score", "num_comments", "subreddit", "url"]
)
print(f"Twitter: {twitter_posts.pagination.total_rows} posts")
print(f"Reddit: {reddit_posts.pagination.total_rows} posts")
print(f"Researchers: {researchers.pagination.total_rows} users")
# Export for analysis
twitter_csv = twitter_posts.export_csv()
reddit_csv = reddit_posts.export_csv()
client.close()
import { XpozClient } from "@xpoz/xpoz";
const client = new XpozClient();
await client.connect();
const cveId = "CVE-2026-1234";
const twitterPosts = await client.twitter.searchPosts(`"${cveId}"`, {
startDate: "2026-02-16",
endDate: "2026-02-23",
fields: ["id", "text", "authorUsername", "createdAtDate", "likeCount", "retweetCount"],
});
const redditPosts = await client.reddit.searchPosts(`"${cveId}"`, {
startDate: "2026-02-16",
fields: ["id", "title", "text", "score", "numComments", "subreddit"],
});
await client.close();
Timeline Reconstruction:
Severity Assessment (from social signals):
| Signal | Indicates |
|---|---|
| High engagement + rapid spread | Critical/actively exploited |
| Security researchers sharing PoC code | Weaponization in progress |
| Vendor accounts responding | Acknowledged, patch likely coming |
| Low volume, technical-only discussion | Early stage or low severity |
| Mentions of "in the wild" / "actively exploited" | Immediate action needed |
Source Credibility:
Key Information to Extract:
## Security Intelligence: [TARGET]
**Period:** [date range] | **Sources:** Twitter ([X] posts), Reddit ([X] posts)
### ⚠️ Threat Summary
**Severity:** Critical / High / Medium / Low
**Status:** [Active exploitation / PoC available / Discussion only / Patched]
**First seen:** [date of earliest social mention]
### Timeline
| Date | Source | Event |
|------|--------|-------|
| Feb 16 | Twitter @researcher | First public mention of vulnerability |
| Feb 17 | Reddit r/netsec | Technical analysis posted |
| Feb 18 | Twitter @vendor | Patch announced |
### Technical Details (from social sources)
- **Affected:** [software, versions]
- **Vector:** [remote/local, auth requirements]
- **Impact:** [RCE, data leak, DoS, etc.]
- **Exploit:** [PoC available? Where?]
- **Patch:** [Available? Version? Workaround?]
### Key Voices
| Researcher | Followers | Posts | Credibility |
|-----------|-----------|-------|-------------|
| @security_expert | 50K | 3 | High (CISO at [company]) |
| ... | ... | ... | ... |
### Notable Posts
> "Actual quote from security researcher" — @username (❤️ X, 🔁 X)
### Subreddit Activity
| Subreddit | Posts | Top Thread |
|-----------|-------|-----------|
| r/netsec | X | "Title..." (⬆️ X, 💬 X) |
| r/cybersecurity | X | "Title..." |
### Recommended Actions
1. [Immediate: patch/mitigate if affected]
2. [Monitor: watch for exploitation reports]
3. [Investigate: check logs for IoCs]
relevantTweetsCount from user search to find who's most actively discussing a threatnpx claudepluginhub xpozpublic/xpoz-agent-skills --plugin xpozMonitors dark web sources for organizational asset mentions, leaked credentials, and threat actor communications. Use for early warning intelligence on data breaches and dark web OSINT.
Monitors dark web sources for organizational asset mentions, leaked credentials, and threat actor communications. Use for early warning intelligence on data breaches and dark web OSINT.
Researches malware analysis, CVEs, attribution reports, and hacker community sources for cybersecurity incidents or threat actors.