ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mia Twitter Stealth

Twitter/X automation with advanced stealth and anti-detection

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.9k · 10 current installs · 10 all-time installs
by@ArubikU
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md describes a CLI-style tool (mia-twitter) and requires X_AUTH_TOKEN/X_CT0 and Playwright with Chromium, but the registry metadata declares no required env vars, no binaries, no install. An instruction-only skill that expects a local 'mia-twitter' CLI and Playwright runtime without providing install details or declaring required credentials is inconsistent and unexplained.
!
Instruction Scope
Instructions explicitly instruct session persistence (cookies, localStorage, user-data-dir), human-behavior simulation, and use of auth tokens. Those actions require filesystem and credential access and could enable long-lived access to an account; yet nothing in the manifest declares or limits that access. The SKILL.md also contains patterns consistent with prompt-injection (unicode-control-chars).
!
Install Mechanism
There is no install spec and no code files — the skill is purely instructions that assume the existence of a 'mia-twitter' CLI and Playwright/Chromium. That mismatch (instructions expecting runtime artifacts that are not provided or declared) is a red flag: either required software will be installed externally (not documented) or the skill is incomplete/misleading.
!
Credentials
The SKILL.md requests X_AUTH_TOKEN and X_CT0, which are session/authorization tokens capable of full account control on Twitter/X. Requesting such powerful secrets is proportionate for direct API/browser automation, but the registry did not declare a primary credential nor list these env vars — creating an unexplained gap and risk of secret misuse or accidental exposure.
!
Persistence & Privilege
The skill's behavior relies on persistent session data (cookies, localStorage, user-data-dir) to remain stealthy across runs. Although the skill is not forced always-on, its instructions encourage writing persistent artifacts to disk which can increase long-term risk (account takeover, stealthy automation). The manifest does not explain where or how those files are managed or protected.
Scan Findings in Context
[unicode-control-chars] unexpected: Prompt-injection style control characters were detected in SKILL.md. This is not expected for a clean CLI/integration guide and may indicate the skill attempted to manipulate downstream prompt evaluation or included hidden characters.
What to consider before installing
This skill is internally inconsistent: the documentation asks for powerful Twitter session tokens and Playwright/Chromium and describes persistent, stealthy behavior, but the registry lists no required credentials, binaries, or install steps and provides no code. Before using it, ask the author for: (1) a clear install mechanism or published CLI/binary, (2) explicit declaration of required env vars in the registry, (3) details on where session files are stored and how they are protected, and (4) source code or a reputable release so you can audit it. Be aware that supplying X_AUTH_TOKEN/X_CT0 gives broad control of an account and that stealth/anti-detection features may violate Twitter/X terms of service. If you cannot verify the origin and code, do not provide tokens or install/run actions this skill describes.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk977m10891pdf78fmqe749fx9980jqfr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🕵️‍♀️ Clawdis

SKILL.md

Mia Twitter Stealth 🕵️‍♀️

Twitter/X automation with advanced stealth techniques to avoid bot detection.

Anti-Detection Features

1. Playwright Stealth

  • Hides navigator.webdriver
  • Masks Chrome automation flags
  • Spoofs plugins and languages

2. Headful Mode

  • headless: false by default
  • Real browser UI visible
  • Avoids headless detection

3. Human Behavior

  • Random typing delays (50-150ms)
  • Mouse movement simulation
  • Random wait times
  • Natural scroll patterns

4. Session Persistence

  • Cookie storage
  • LocalStorage persistence
  • User data directory

5. Cooldown Management

  • Rate limit tracking
  • Automatic backoff
  • 24h cooldown if flagged

Usage

# Post tweet
mia-twitter post "Hello world"

# Reply to tweet
mia-twitter reply <tweet-id> "Great post!"

# Like tweets by search
mia-twitter like --search "AI agents" --limit 10

# Follow users
mia-twitter follow --search "founder" --limit 5

# Check notifications
mia-twitter notifications

Safety

  • Max 5 actions per hour
  • Max 50 per day
  • 2-5 min delays between actions
  • Human-like patterns only

Requirements

  • X_AUTH_TOKEN env var
  • X_CT0 env var
  • Playwright with Chromium

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…