ClawHub

AIsa Twitter Post Engage

Security checks across malware telemetry and agentic risk

Overview

This Twitter/X relay skill is mostly coherent, but it needs review because normal posting and authorization output can expose the AIsa API key while enabling live account actions.

Install only if you trust AIsa with relay-mediated access to your Twitter/X workflows. Use a dedicated or rotated AISA_API_KEY, avoid sharing command output until the key-printing issue is fixed, review every post or engagement target before running commands, avoid uploading private local media, and know how to revoke the Twitter/X OAuth authorization.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares required binaries and environment variables but does not expose a clear permissions model despite supporting network access and use of an API key. This can weaken user awareness and review, because the skill can transmit data to an external relay and perform account actions without an explicit permission declaration surface.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The status command includes the raw AISA API key in user-visible JSON output. Any terminal logs, chat transcripts, CI logs, or calling agent that captures stdout will receive a reusable secret unrelated to the purpose of a health/status check, enabling unauthorized use of the AIsa relay and any connected Twitter actions.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The authorize flow returns the full AISA API key alongside the authorization URL, even though the caller only needs the URL. This unnecessarily discloses a bearer credential to any user, wrapper, or logging layer observing command output, allowing replay against relay endpoints.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This finding is substantively the same secret-exposure issue in the status command: a sensitive API key is emitted without masking or consent. In an agent skill context, stdout is commonly surfaced back to users or orchestration systems, which makes secret leakage more dangerous than in a purely local CLI.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This is also a true positive: the authorization command prints a full bearer secret with no masking. Because the skill is designed for Twitter/X posting through a relay, exposing the relay credential can let an attacker act through the account or enumerate connected capabilities far beyond simply opening an auth URL.

External Transmission

Medium
Category
Data Exfiltration
Content
export AISA_API_KEY="your-key"
```

All network calls go to `https://api.aisa.one/apis/v1/...`.

## Capabilities
Confidence
84% confidence
Finding
https://api.aisa.one/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal