ClawHub

AIsa Twitter API Command Center

Security checks across malware telemetry and agentic risk

Overview

The skill does what it says, but it exposes the AIsa API key in normal command output, which can leak a sensitive credential into logs or agent transcripts.

Review before installing. Only use this if you trust AIsa with Twitter/X data, post content, selected media files, and the configured AISA_API_KEY. Until the scripts are fixed, avoid running authorize or post commands where terminal output is logged, shared, or captured, and confirm exact post text, target tweet, account context, and media files before publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill declares required environment variables and clearly depends on outbound API access, but it does not declare explicit permissions for those capabilities. That mismatch weakens platform transparency and consent, because users and orchestrators may not realize the skill can read secrets from the environment and transmit data off-host. In this context the risk is elevated because the skill is explicitly designed to send user content, OAuth-related requests, and API-key-authenticated traffic to a third-party service.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The post/status code returns and prints the raw AIsa API key in normal command output, which creates an immediate credential disclosure risk through terminal logs, shell history capture, CI logs, wrappers, or downstream tooling that records stdout. In this skill's context, the key is a privileged bearer credential for the AIsa relay, so exposing it is unnecessary for Twitter posting functionality and materially increases the chance of account or API abuse.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The authorize command prints the raw API key alongside the authorization URL, directly leaking a bearer token during an operation that does not require the user to view the secret. Because OAuth authorization flows are often run interactively and captured in terminal scrollback or support logs, this disclosure makes credential compromise far more likely.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README advertises OAuth-gated posting and bundled scripts but does not warn users that the skill may transmit data to external services or perform account-affecting actions such as posting. In a social-media automation context, this omission can lead to users invoking the skill without understanding the privacy, credential, or reputational consequences of execution.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to send local workspace image/video files to a relay backend for upload, but it does not clearly disclose to the user at the point of use that local files leave the device and are transmitted to a third-party service. This creates a privacy and data-handling risk because users may attach sensitive media assuming it is only used locally for posting, without understanding the relay path through api.aisa.one.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Printing relay responses and the API key to stdout without an explicit warning or redaction can expose sensitive data to users, operators, log collectors, or orchestration systems. While stdout disclosure is secondary to the underlying secret exposure, in practice it is a common exfiltration path and therefore a real security/privacy weakness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal