ClawHub

AIsa Twitter Research Engage Relay

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it advertises, but it can expose its AIsa API key in normal output while performing real Twitter/X account actions.

Install only if you trust AIsa with Twitter/X relay access and can control where command output is logged. Avoid shared terminals, CI logs, and chat-visible tool traces until the API-key output is removed, and rotate the AISA_API_KEY if it has already appeared in logs. Confirm exact accounts, tweet IDs, and post text before running engagement or posting commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares required environment variables and clearly directs the agent to call external API-backed scripts, but it does not declare explicit permissions for those capabilities. This creates a transparency and policy-enforcement gap: a user or host platform may not realize the skill can access secrets and perform network actions, including account engagement operations against Twitter/X via a third-party service.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script includes the raw AIsa API key in user-visible JSON output for publish/status flows. Exposing secrets in normal output is dangerous because terminals, logs, shell history captures, CI transcripts, and agent tool outputs may retain the key and allow unauthorized use of the AIsa account and downstream Twitter actions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The authorize command prints the AIsa API key together with the authorization URL, unnecessarily disclosing a bearer secret during a sensitive auth flow. Anyone with access to console output or captured tool responses could reuse that key to call the remote API and perform actions on behalf of the user.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The client forwards user-supplied Twitter usernames, tweet IDs, queries, and related metadata to api.aisa.one, a third-party service, without any explicit disclosure or consent mechanism in the tool itself. In an agent skill context, this matters because users may believe they are querying Twitter directly when they are actually disclosing interests, targets, and research activity to an intermediary service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This CLI performs externally visible account actions such as like, unlike, follow, and unfollow immediately once invoked, with no confirmation gate, dry-run mode, or secondary approval for potentially unintended social actions. In an agent skill context, that increases the risk of accidental or prompt-induced misuse because a mistaken username, tweet ID, or ambiguous upstream instruction can directly change the operator’s social account state and reputation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This is a true positive for secret disclosure: the API key is printed without masking or warning in standard output. In the context of an agent skill, stdout is often surfaced to users, stored in traces, or forwarded between systems, which increases the likelihood of credential leakage beyond the local machine.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal