ClawHub

twitter-autopilot-aisa

Security checks across malware telemetry and agentic risk

Overview

This Twitter/X automation skill is mostly purpose-aligned, but it exposes the configured API key in normal command output and can perform public account actions.

Review before installing. Use only a dedicated or tightly scoped Twitter/X account, keep TWITTER_RELAY_BASE_URL unset unless you fully trust the endpoint, avoid running status/authorize/post commands in logged or shared contexts until API key redaction is fixed, and require explicit human approval for every public post, reply, like, follow, unfollow, and media upload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares access to environment variables and clearly relies on networked API interactions, but it does not define explicit permissions boundaries. That creates a transparency and governance gap: users and orchestrators may not realize the skill can use secrets and perform external communications, which is especially relevant for a social-media automation skill that can read and write remote data.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The module advertises itself as read-only, but the shared request helper includes POST support and automatically embeds the API key in POST bodies. In an agent-skill context, this mismatch is dangerous because other code can reuse the client for state-changing actions while operators believe it only performs passive reads.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The CLI description reinforces that the tool is for read-only Twitter APIs, yet the underlying transport layer can issue POST requests. This can mislead users, auditors, and orchestration systems into granting broader trust than warranted, increasing the chance of unintended write operations or credential misuse.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The status command returns the raw configured AISA API key in ordinary JSON output, which is a direct secret disclosure. Any caller, log sink, transcript, or downstream tool that invokes status can capture and reuse that credential to access the relay, making this especially dangerous in an agent skill that may expose command output back to users or store it in traces.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The help text describes the command as showing relay engagement configuration, but the implementation also emits the unmasked API key, creating misleading expectations around sensitivity. This increases the chance that operators or agents invoke the command casually and unintentionally disclose credentials into chat responses, logs, or telemetry.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The status command prints the configured AISA API key directly to stdout, which can expose the credential to terminal history, logs, CI job output, or any wrapper process capturing command output. In this skill's context, the key appears to authorize Twitter relay actions, so disclosure can enable unauthorized posting or account operations through the relay.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
Publishing and related command results include the raw AISA API key in user-visible JSON, causing routine use of the client to leak a bearer credential. Any process, user, agent, or log sink that reads stdout can recover the key and reuse it to invoke the relay API.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README prominently advertises capabilities to like, follow, reply, and publish posts on behalf of a user, but it does not clearly warn that these are account-affecting actions that can change a user's public presence and reputation. In an autonomous-agent context, this is risky because an operator may invoke the skill for information gathering and unintentionally enable actions that perform social engagement or posting with real consequences on a live Twitter/X account.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises posting, replying, liking, following, and similar account-affecting actions without an explicit warning that these operations can change a user's public account state. In practice, that can lead to unintended social actions, reputation damage, or misuse if invoked without sufficiently clear user confirmation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation mentions OAuth-based write paths but does not clearly explain the privacy and integrity implications of granting OAuth authorization. Users may not appreciate that authorization enables the skill to act on their behalf, potentially creating posts or engagements that are public and attributable to them.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code transmits the AISA API key to an external relay, and for POST requests it additionally places the secret into the JSON body. In an autonomous-agent setting, silent credential transmission to a third-party relay without clear user disclosure or minimization increases the risk of secret exposure through logs, intermediaries, or unexpected downstream handling.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The API key is exposed in normal output without masking or warning, so benign diagnostic use can become credential leakage. In an agent-integrated Twitter automation skill, this is more dangerous because outputs may be surfaced to end users or persisted in execution history, enabling easy credential theft and unauthorized engagement actions through the relay.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This is a real secret-disclosure issue, not merely a quality concern: the status output reveals a live API key without masking or warning. Because this utility is designed for automation, stdout is especially likely to be captured by logs, orchestration layers, or other agents, increasing the chance of credential compromise.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The authorization flow prints the API key in the returned JSON alongside the authorization URL, exposing the credential during a common setup operation. Since users may copy, paste, store, or share this output while troubleshooting OAuth, the key can be unintentionally leaked outside the intended trust boundary.

Ssd 3

High
Confidence
99% confidence
Finding
The status response includes the plaintext API key as part of routine output, which is a straightforward sensitive-data disclosure issue. Because this skill can publish posts and perform engagement actions via a relay, leaked credentials could let an attacker drive unauthorized social actions, abuse the relay, and potentially impersonate the configured account or service context.

Ssd 3

High
Confidence
100% confidence
Finding
Echoing the bearer API key in normal publish results is a direct sensitive-data exposure vulnerability. In a Twitter automation skill, compromise of this key may let an attacker submit posts, upload media, or trigger other relay-backed actions as the configured principal, making the impact more serious than a generic information leak.

Ssd 3

High
Confidence
99% confidence
Finding
The authorization and status code paths disclose the API key in printed responses, creating repeated opportunities for credential leakage during ordinary use. Because the key is a bearer secret, anyone who obtains it may be able to act through the AISA Twitter relay without further proof of identity.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal