ClawHub

twitter-autopilot-zh

Security checks across malware telemetry and agentic risk

Overview

This Twitter/X automation skill does what it advertises, but it exposes the configured AISA API key in normal command output.

Review before installing. Use only if you trust the AISA relay and are comfortable granting Twitter/X posting and engagement authority. Avoid running status, authorize, or post flows with a production AISA key until the skill redacts secrets; rotate any key that may already have appeared in logs or transcripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill declares required environment variables and invokes Python clients that will almost certainly make outbound API requests, but it does not declare explicit permissions for those capabilities. This creates a transparency and policy-enforcement gap: users or orchestrators may invoke a skill with network and secret access without clear permission signaling, increasing the risk of unintended data exposure or unauthorized external actions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The status command returns the configured `aisa_api_key` in plaintext, which is a secret unrelated to the user-facing purpose of checking relay status. In an agent skill context, a user can often invoke status-like commands through natural language, so this creates a straightforward secret disclosure path that could allow unauthorized use of the relay or related services.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The help text frames `status` as a configuration-inspection command, and the implementation exposes the raw API key as part of that output. This makes accidental or socially engineered secret disclosure more likely because the capability appears legitimate and easy to request through normal operation.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The status command includes the full AISA API key in routine output, which unnecessarily discloses a bearer credential to terminals, logs, calling agents, or any upstream orchestration layer that captures stdout. Because this skill is designed for relay-based Twitter actions, exposing the API key materially increases the chance of credential theft and unauthorized use of the relay service.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
Authorization and publishing flows return the raw AISA API key in normal command output, causing a secret to be exposed during standard successful operation. In agent environments, command output is often persisted in logs, tool traces, chat transcripts, and monitoring systems, so this creates a straightforward secret leakage path.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly promotes account-impacting actions such as posting, liking, following, and replying, but it does not clearly warn that these actions can modify a user's social media account, create public content, or trigger platform enforcement if misused. In an autonomous agent context, this is dangerous because operators may treat the skill as routine search tooling while unintentionally authorizing actions with reputational, privacy, or policy consequences.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger description is very broad, covering generic Twitter search, monitoring, posting, replying, liking, and following workflows. Overbroad activation can cause the agent to select this skill in situations where the user did not intend external network access or account actions, which is especially risky because the skill supports write operations through OAuth.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The "何时使用" guidance repeats broad activation language without concrete constraints, exclusions, or safety gates. In context, this increases the chance of accidental invocation for ambiguous requests and can escalate into unintended external API calls or social-account actions.

Missing User Warnings

High
Confidence
99% confidence
Finding
This code path directly serializes and prints `config["aisa_api_key"]` in the status response. Exposure of an active API key can let an attacker authenticate to the relay service, perform unauthorized actions, and potentially pivot into other systems depending on how that key is scoped.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script explicitly prints a JSON object containing the bearer API key during authorization output, which exposes a reusable credential to anyone with access to process output or captured logs. Since bearer tokens typically grant direct access without additional proof of identity, disclosure can enable unauthorized relay usage and possible account actions through the connected service.

Missing User Warnings

High
Confidence
99% confidence
Finding
The post result object includes the raw AISA API key and is later printed, leaking the credential during routine tweet publishing and error handling paths. This is especially dangerous in an automation skill, where outputs may be consumed by other tools or stored centrally, broadening exposure far beyond the local user.

Missing User Warnings

High
Confidence
99% confidence
Finding
The status command exposes the AISA API key directly, even though status reporting only needs configuration health and endpoint metadata. This creates unnecessary credential disclosure with no operational justification and can lead to unauthorized API access if logs or transcripts are accessible to other users or systems.

Ssd 3

Medium
Confidence
98% confidence
Finding
Because this skill is designed for social-media actions via an agent, a benign-sounding request like 'show current configuration' could surface the credential to an untrusted requester. The skill context makes this more dangerous, not less, because the command is part of normal operational flow and returns machine-readable output suitable for easy exfiltration.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal