ClawHub

Composio Composer Xskill

Security checks across malware telemetry and agentic risk

Overview

This skill is meant for Twitter/X automation, but it needs Review because it can post and delete account content while using under-disclosed credential and network fallback paths.

Install only if you intend to let an agent use Composio/Twitter credentials for public posting and tweet deletion. Use scoped, revocable credentials; avoid hardcoded tokens; require explicit confirmation before posting or deleting; review or remove the direct Twitter API and HTML-form fallback paths; and pin/audit dependencies before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documents use of environment variables, file-based configuration, and outbound HTTP interactions, but it declares no permissions. This undermines least-privilege review and can cause users or an agent platform to grant broader implicit access than expected, especially where tokens and network actions can affect external accounts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The manifest frames the skill as tweet posting, but the documentation adds retrieval, deletion, and broader credential/config loading behavior, with mention of possible direct Twitter API fallback. This mismatch is dangerous because reviewers and calling agents may authorize the skill for a narrow purpose while it can perform additional account-affecting actions and use broader secrets.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README advertises substantially broader capabilities than the stated skill purpose, including tweet deletion, DMs, blocking, and reading account data. This scope expansion increases the chance that users grant or trust permissions beyond what they expect, which is dangerous in an agent skill because it can enable unintended account actions and privacy-impacting operations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documentation advertises get_tweet and delete_tweet despite the stated scope being posting-only. This expands the operational scope from a simple write action to read and destructive actions, which can surprise downstream users and increase the chance of unauthorized account changes or data access.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The configuration section requires multiple powerful Composio credentials and session artifacts that imply broader authenticated session access than a minimal tweet-posting tool would need. That increases the blast radius if the skill is misused, misconfigured, or logs/leaks these values.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill metadata and module docstring present the capability as posting tweets, but the exported API also supports reading and deleting tweets. This mismatch can mislead users, reviewers, or policy systems into granting access under narrower assumptions, increasing the chance of unintended destructive actions or over-broad permissions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill description says it enables posting tweets, but the code also exposes tweet retrieval and deletion capabilities. This expands the effective privilege and behavior of the skill beyond what a user or orchestrator would reasonably expect, increasing the risk of unauthorized data access or destructive actions when the skill is invoked under a narrower trust assumption.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest says posting occurs through Composio, but the code falls back to direct Twitter API access using the same bearer token flow. This bypasses the declared integration boundary and can cause data to be sent to a different external service than expected, undermining user consent, auditability, and control assumptions around credential handling.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The module documentation claims the client works through Composio, while the implementation can directly call Twitter/X APIs. This mismatch is security-relevant because operators, reviewers, or policy engines may approve the component based on inaccurate documentation, leading to unsafe deployment decisions and unexpected data flows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README lists destructive and privacy-sensitive operations such as deleting tweets, reading/sending DMs, muting, blocking, and managing account state without prominent warnings or consent guidance. In an agent context, users may invoke the skill assuming simple tweet posting, while the skill may have access to far more sensitive actions affecting privacy, reputation, and account integrity.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README does not clearly warn that tweet content, media files, tokens, and account-related data are sent to a third-party integration service. In a social-media skill, this omission is security-relevant because users may unknowingly transmit sensitive content or credentials off-platform, increasing exposure to privacy loss, data mishandling, or credential misuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documentation omits meaningful warnings that tweet content and authentication tokens are sent to a third-party integration layer and that deletion affects live account content. Without clear disclosure, users may unknowingly expose sensitive content or authorize destructive actions on their social media account.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The module exposes a delete_tweet function as a simple one-call operation with no confirmation, safety interlock, or indication that the action is destructive. In agentic contexts, this raises the risk of accidental or unauthorized deletion of content if a prompt, tool call, or misunderstanding triggers it.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The example performs a destructive action by deleting a tweet immediately after creating it, without any confirmation, warning, or clear indication that this is irreversible. In agentic or copy-pasted usage, users may run the example as-is and unintentionally delete content, making this a safety issue even if it is not overtly malicious.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The fallback web-scraping path parses arbitrary HTML forms and submits tweet content to the discovered form action without explicit disclosure or tight destination validation. This makes the transmission path less predictable than the declared API flow and could send content or tokens to unintended endpoints if the returned HTML is altered or malicious.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
beautifulsoup4>=4.12.0
python-dotenv>=1.0.0
Confidence
97% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
beautifulsoup4>=4.12.0
python-dotenv>=1.0.0
Confidence
97% confidence
Finding
beautifulsoup4>=4.12.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
beautifulsoup4>=4.12.0
python-dotenv>=1.0.0
Confidence
96% confidence
Finding
python-dotenv>=1.0.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
88% confidence
Finding
requests

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
72% confidence
Finding
python-dotenv

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal