Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Twitter Browser Automation
v1.0.0Interact with Twitter/X through Chrome browser via browser-relay MCP. Post tweets, search trends and hashtags, analyze engagement metrics, create threads, an...
⭐ 0· 59·0 current·0 all-time
bybulldozzer@andreasozzo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the instructions: it automates Twitter/X via a browser-relay MCP (no API keys). Requiring a logged-in Chrome session and browser-relay is appropriate for this purpose. The README's guidance to run @anthropic-ai/browser-relay via npx is consistent with the stated architecture.
Instruction Scope
SKILL.md instructs the agent to navigate pages, click, type, and read content on x.com — which is expected. It explicitly says it will treat page content as untrusted and require confirmation before posting. Caution: a browser-relay agent controlling a logged-in Chrome profile can potentially access any data visible in that browser (other tabs, cookies, saved sessions). Confirm the skill enforces the stated explicit-confirmation behavior and that the agent will not be allowed to act on unrelated pages or credentials.
Install Mechanism
The skill is instruction-only (no install spec), which lowers risk. However README recommends configuring browser-relay via npx @anthropic-ai/browser-relay — this pulls code from npm at runtime. That is a reasonable distribution method but you should verify the package source and trustworthiness of the MCP implementation before running it.
Credentials
No environment variables, credentials, or config paths are requested by the skill itself — appropriate for a browser-driven integration that relies on the user's logged-in Chrome session rather than API keys.
Persistence & Privilege
always:false (good) and user-invocable:true. However, disable-model-invocation is false (default), so the agent may invoke this skill autonomously. Combined with the ability to control a logged-in Chrome session, that raises the blast radius: an autonomous agent could potentially read or act on the user's active browser session. The SKILL.md states it requires explicit confirmation before posting, but you should verify that the platform enforces that confirmation and consider disabling autonomous invocation if you want to avoid automated posts.
Scan Findings in Context
[ignore-previous-instructions] expected: The SKILL.md contains this pattern inside prompt-injection defense text and examples. The scanner flagged it, which is expected because the skill describes injection vectors and defenses. Still, presence of such phrases is worth human review to ensure they are only examples/defenses, not active instructions to override agent policies.
[system-prompt-override] expected: Also appears as part of the prompt-injection defense discussion in the documentation. Expected in context, but any literal instructions attempting to override system prompts would be dangerous — verify the text is purely descriptive/defensive.
What to consider before installing
This skill appears to do what it says (browser-driven Twitter automation) but it controls a logged-in Chrome session through an external MCP — a powerful capability. Before installing: 1) Verify and audit the browser-relay package (@anthropic-ai/browser-relay) you will run via npx (review the package source, maintainer, and network behavior). 2) Use a dedicated Chrome profile for automation (not your primary account) to limit exposure of cookies and other sessions. 3) Consider disabling autonomous invocation (set disable-model-invocation) if you don't want the agent to act without manual approval. 4) Confirm that the skill/platform enforces the claimed explicit-confirmation step before any publish action. 5) Manually inspect the SKILL.md/README for any lines that look like covert prompts or instructions that would cause the agent to ignore prior safeguards. If you need lower risk, prefer an API-key-based integration or a read-only analysis mode rather than live control of your logged-in browser.README.md:116
Prompt-injection style instruction pattern detected.
SKILL.md:414
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk97cj59t9hba67ksfh22ftbjyx83d6r1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
OSmacOS · Linux