ClawHub

AIsa Twitter API (Search + Post)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Twitter/X integration, but it needs review because it can publish publicly and exposes the AIsa API key in normal command output.

Install only if you trust AIsa with Twitter/X API access and delegated posting. Treat command output as sensitive because this version can print the raw AISA_API_KEY. Before posting, verify the final text, media files, and whether the action is standalone, quote, reply, or threaded; leave TWITTER_RELAY_BASE_URL unset unless you intentionally trust the alternate relay.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill’s earlier behavior says normal standalone posts should not include relationship fields, but the agent instructions later say to default to `--type quote` for publishing. In a posting skill, this can cause the agent to transform ordinary posts into quote posts, potentially appending external tweet URLs or changing the user’s intended audience/context, which is an integrity and consent problem rather than a direct code-execution issue.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
This is a true policy/behavior contradiction: one section says normal single posts must not send thread/relationship fields, while later instructions tell the agent to default to quote mode. In an autonomous posting skill, conflicting instructions are dangerous because they can systematically cause unintended public actions on a third-party platform, violating user intent and potentially disclosing associations with external tweets.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The module is documented as read-only, yet the shared request helper supports POST and automatically injects the AISA API key into the JSON body via aisa_api_key. Sending credentials in both the Authorization header and request body expands exposure risk through downstream logging, telemetry, error capture, or intermediary services, and the misleading read-only framing reduces operator scrutiny.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The status command prints the configured AISA API key in plaintext, unnecessarily disclosing a bearer credential to any caller, logs, transcripts, or downstream tooling that captures command output. In this skill context, the command is meant to report configuration status, so revealing a reusable secret is not required for functionality and increases the chance of account or API misuse.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The authorize flow includes the AISA API key in user-visible JSON output, exposing the bearer token alongside OAuth data. This is dangerous because terminal output is often logged, copied into chats, or surfaced to calling agents, turning a local authorization helper into a credential disclosure channel.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The publish result objects echo the AISA API key back to callers during success and error handling, needlessly propagating a reusable secret through normal control flow. Since posting results may be displayed, stored, or forwarded by orchestration systems, this materially broadens exposure of the credential beyond its intended use.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises the ability to write and post to Twitter/X, including text and media, but does not clearly warn that these actions can publish public content to the user's account. In an agent skill context, missing disclosure increases the risk of users or orchestrating agents invoking posting functionality without fully appreciating that it causes irreversible external side effects on a live social account.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The description is broad enough to trigger the skill for generic social-listening or Twitter-related requests, increasing the chance the agent invokes an external third-party service when a user may only expect local reasoning or a different data source. Over-broad routing can cause unintended data disclosure in prompts or queries sent to the external API.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill advertises monitoring, competitor intelligence, and sentiment/social-listening workflows without any warning about privacy, data retention, or third-party processing. In context, this makes the skill more dangerous because user-provided search terms, monitored accounts, and analysis targets may be transmitted to an external provider without informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to upload user text and local media files to a relay backend and then to X/Twitter, but it does not clearly warn users that their content and attachments are transmitted to external services. In a social-posting context, this omission can lead to uninformed disclosure of sensitive or private material, especially when attachments come from the local workspace.

Missing User Warnings

High
Confidence
98% confidence
Finding
These command result paths expose the AISA API key in JSON responses visible to users or calling systems. Because the key is a bearer secret, anyone who obtains the output may be able to invoke the relay service or impersonate the configured client, which is more dangerous in an agent skill where outputs are routinely passed across system boundaries.

Missing User Warnings

High
Confidence
99% confidence
Finding
The authorization command prints the AISA API key next to OAuth response information, combining a sensitive relay credential with actionable auth metadata in one output blob. This creates an easy exfiltration point via logs, screenshots, agent traces, or shell history without any legitimate need for the user to see the secret.

Missing User Warnings

High
Confidence
99% confidence
Finding
The status command reveals the configured AISA API key in plaintext, directly disclosing a secret to any local user, wrapper process, or logging pipeline that invokes it. In a Twitter command-center skill, this is especially unjustified because status reporting does not require exposing credentials and the key may grant broader relay access than a single operation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal