ClawHub

Apitweet

Security checks across malware telemetry and agentic risk

Overview

This is a real Twitter/X automation CLI skill, but it grants broad account and credential authority with some under-scoped request and activation behavior users should review before installing.

Install only if you trust this publisher and are comfortable giving an agent a credentialed Twitter/X automation tool. Use --dry-run first, avoid storing cookies or auth_token values on shared machines, isolate APITWEET_CONFIG_DIR, verify the active profile/account before any write action, and do not use raw absolute URLs or untrusted endpoint paths with saved credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The command dispatcher deliberately supports a generic mode where any argument starting with '/' or 'http(s)://' is passed to performRequest using user-supplied method, path, and body. This bypasses the guardrails implied by the named subcommands and allows arbitrary backend/API invocation, which is risky in an agent skill because a prompt or upstream tool consumer could trigger sensitive, undocumented, or destructive endpoints.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The request logic explicitly permits any absolute http(s) URL by using it directly instead of constraining requests to the configured API base URL. In a CLI skill that may be driven by untrusted task input, this enables server-side request forgery–style behavior from the user's environment, including sending authenticated requests to attacker-controlled hosts or internal services, and the risk is increased because Authorization and user-supplied headers are attached before the request is made.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly promotes DM history access and DM sending, which are privacy-sensitive capabilities, but the surrounding documentation does not provide a clear warning about consent, legal restrictions, data minimization, or safe handling of private message content. In an AI-agent skill context, this is more dangerous because agents may automate these commands at scale and expose or process private communications without adequate user awareness or policy guardrails.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The default prompt broadly instructs the agent to use the apitweet CLI for installation, configuration, and command execution without defining narrow activation criteria or safety boundaries. In a credential-aware workflow touching Twitter/X app or profile authentication, this can cause unintended invocation in contexts involving secrets, shell commands, or external API actions, increasing the chance of overbroad tool use and accidental credential exposure or state-changing requests.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Enabling implicit invocation allows this skill to activate without a tightly scoped user request, which is risky for a CLI skill that can install software, configure local auth, and invoke external endpoints. Because the skill is explicitly credential-aware and can operate on local config and environment variables, unintended activation could lead to secret handling, configuration changes, or unauthorized API interactions with limited user awareness.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly supports publishing content to X via `article publish-md` but does not surface that this is an external write action with real-world side effects. In an agent setting, omitting that warning increases the chance of unintended posting, especially when the skill encourages operational defaults and only conditionally uses `--dry-run`.

Natural-Language Policy Violations

Low
Confidence
88% confidence
Finding
The instruction to use saved app auth or `APITWEET_KEY` for read requests and saved profiles for write requests permits implicit credential selection without explicit user confirmation of which account or context is being used. In multi-account or shared environments, this can lead to actions being performed under the wrong identity or with broader access than the user intended.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The auth cookie flow embeds the auth token directly into the URL path (`/twitter/{token}/cookie`). Secrets in URL paths are commonly exposed through logs, reverse proxies, browser/history equivalents, telemetry, and error messages, so even if transport is HTTPS the token may leak to systems that record request URLs.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code persists the retrieved cookie and auth token into config.profiles and saves them to disk without any explicit protection or warning in this file. Long-lived session material stored persistently increases the blast radius of local compromise, accidental backup/sync leakage, or other tools reading the config directory.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code persists Twitter/X authentication material (cookie, auth_token, ct0) directly to a JSON config file on disk via saveConfig without any warning, consent prompt, or visible discussion of storage risk. These are highly sensitive bearer-style credentials; if the local filesystem is readable by another user, included in backups, or accidentally committed/shared, an attacker can reuse them to access the associated account or session.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The help text explicitly encourages storing API keys, cookies, and auth tokens for later use and advertises write-capable operations such as DMs, profile updates, follows, and tweet creation, but it does not warn users about the sensitivity of those secrets or the consequences of using persistent authenticated profiles. In a CLI that performs account actions, omission of security guidance increases the chance of credential mishandling, accidental account takeover exposure, or unintended destructive actions.

Session Persistence

Medium
Category
Rogue Agent
Content
# apitweet-cli

> apitweet-cli is a Node.js command-line client for ApiTweet Twitter/X endpoints. It helps developers and AI agents fetch Twitter/X data, manage API credentials, preview write actions, publish X Articles from Markdown, and automate common X workflows from the terminal.

## Quick facts
Confidence
80% confidence
Finding
write actions, publish X Articles from Markdown, and automate common X workflows from the terminal. ## Quick facts - Product: `apitweet-cli` - Category: Twitter/X API command-line client - Runtime:

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal