Back to skill
Skillv2026.2.26
ClawScan security
Xint · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 16, 2026, 10:51 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's behavior and code largely match an X/Twitter CLI, but registry metadata and packaging claims are inconsistent with the shipped files and a prompt‑injection indicator was detected — review before installing or granting credentials.
- Guidance
- This package appears to be a full-featured X/Twitter CLI (search, watch, OAuth, xAI analysis) and the code and README substantiate that. However: (1) the platform metadata claims 'instruction-only' and 'no required env vars' while SKILL.md and the code require an X_BEARER_TOKEN and optionally xAI and OAuth keys — treat that mismatch as a red flag; (2) the repo includes an installer (install.sh) and many code files, so don't assume it's a lightweight instruction-only skill; (3) a prompt-injection pattern was flagged in SKILL.md — audit agent-facing instruction text if you plan to let an automated agent use this skill. Recommended steps before installing/using: verify the upstream GitHub repository and owner, inspect install.sh and xint.ts locally (don't run curl|bash blindly), confirm the code only calls the documented X/xAI endpoints (api.x.com, x.com, api.x.ai), run in an isolated environment or container, never provide credentials to unknown hosts, set XINT_MCP_AUTH_TOKEN before enabling MCP on non-loopback hosts, and prefer manual invocation rather than granting autonomous model invocation until you are satisfied with the code and metadata alignment.
- Findings
[system-prompt-override] unexpected: A prompt-injection pattern was detected in SKILL.md. The file is agent-facing and instructs agents how to use the skill; this increases the risk that an agent could be prompted to run commands not strictly necessary. The SKILL.md content shown does not contain a clear malicious system-prompt override, but the flagged pattern warrants manual review of any agent-directed instruction blocks before granting the skill autonomous action.
Review Dimensions
- Purpose & Capability
- concernSKILL.md, README, and the included TypeScript code implement an X/Twitter CLI (search, watch, OAuth, Grok AI integration, MCP server), which is coherent with the stated purpose. However the registry metadata at the top of the submission claims 'instruction-only' with no required env vars / credentials while SKILL.md and the code require X_BEARER_TOKEN (primary) and optionally XAI_API_KEY, X_CLIENT_ID, and others. That mismatch between declared requirements and actual files is a packaging/metadata inconsistency that could mislead installers.
- Instruction Scope
- noteThe SKILL.md instructs agents and users to set X_BEARER_TOKEN, run Bun scripts, start an optional local MCP server, and may write caches/exports/oauth tokens to data/. Those instructions stay within the CLI's stated scope, and they explicitly call out security controls (chmod 600, webhook allowlists). However SKILL.md is agent-facing (tells AI agents to read and run commands) and a pre-scan detected a 'system-prompt-override' pattern in the SKILL.md — while the file content shown does not contain an explicit malicious system-prompt string, the presence of that pattern raises caution about prompt-injection style guidance embedded for agents.
- Install Mechanism
- noteThere is no 'install spec' in the registry, but the repository includes an install.sh installer that downloads a GitHub release tarball and extracts it (uses GitHub releases and verifies checksums if available). Downloading from GitHub releases is a standard pattern (lower risk than arbitrary URLs), but the initial top-level metadata claiming 'instruction-only' contradicts the presence of this installer and many code files — the mismatch is noteworthy and increases risk if users expect no code execution. The README also suggests curl|bash install from raw.githubusercontent which is a higher-risk installation pattern; the script itself is reasonably defensive (checksum checks optional).
- Credentials
- concernThe required credentials listed in SKILL.md (X_BEARER_TOKEN required; XAI_API_KEY, X_CLIENT_ID, XAI_MANAGEMENT_API_KEY optional) are proportional to the described features (API search, OAuth write actions, xAI analysis). However the registry summary that was supplied to the platform omitted these required env vars and primary credential, creating an inconsistency: the platform metadata claims 'none' while the skill code and SKILL.md require secrets. That discrepancy is a significant red flag because security decisions (scoping, review) may rely on accurate metadata.
- Persistence & Privilege
- okThe skill does not request 'always: true' and SKILL.md indicates network endpoints are limited to X and xAI endpoints. It optionally runs an MCP server (local by default binding to loopback) and stores data under its own data/ directory; OAuth tokens are stored locally with advised restrictive permissions. Those behaviors are normal for a CLI of this kind. Because the skill can be used as an agent tool (MCP), ensure the MCP server is only bound to loopback or protected with a strong XINT_MCP_AUTH_TOKEN if exposed.