ClawHub

Twitter

Security checks across malware telemetry and agentic risk

Overview

This Twitter/X skill is mostly purpose-aligned, but it exposes the configured AIsa API key in normal command output while supporting real account-changing actions.

Install only if you trust AIsa with your Twitter/X activity, post content, uploaded media, and API key. Avoid running status or authorization commands in shared logs until key redaction is fixed, and require explicit review before any post, like, follow, unfollow, or media upload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no explicit permissions even though it clearly requires environment access for `AISA_API_KEY` and network access to external AIsa endpoints. This weakens policy enforcement and informed consent because a host may invoke a skill with broader capabilities than the manifest transparently communicates.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill’s agent instructions explicitly say to default to `--type quote` for publishing, which conflicts with earlier guidance that normal standalone posts should not send quote/reply relationship fields and that quote mode requires an explicit tweet URL. This contradiction can cause the agent to perform a materially different action than the user requested, potentially attaching unintended quote semantics or failing unpredictably, which is especially dangerous for autonomous posting on a live social account.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The status command returns the configured `aisa_api_key` in plain output, which is sensitive secret material unrelated to normal Twitter engagement functionality. Any caller able to invoke this command can exfiltrate the relay/API credential and potentially reuse it to access protected backend services or perform unauthorized actions through the relay.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The status command prints the full AISA API key back to stdout, unnecessarily exposing a bearer credential that can be copied from logs, terminal history, agent transcripts, or tool output. In this skill, the key grants access to the relay service used for Twitter authorization and posting, so disclosure can enable unauthorized API use and account actions through the relay.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The authorize/post flows include the raw AISA API key in their JSON output, which creates a direct credential disclosure channel unrelated to the skill's stated purpose of Twitter OAuth and posting. Because these outputs may be surfaced to users, stored in logs, or captured by other tools, an exposed bearer token could be reused to access the relay service and perform actions without re-authentication.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README advertises actions that can modify a user's X/Twitter account state, including posting, liking, and following, but does not clearly warn that these are account-impacting operations. In an agent/skill context, missing disclosure can lead users to invoke the skill without realizing it may perform public or persistent actions on their behalf, increasing the risk of unintended posts, follows, or engagement.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The description uses broad trigger language such as handling requests about Twitter/X data, posting, and interacting with users, which can cause overbroad auto-invocation for ordinary prompts. In an agent setting, that increases the chance of unexpected external API calls or account actions without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises posting, liking, and follow/unfollow capabilities but does not present prominent user-facing warnings about irreversible or account-affecting actions in the main description. In an autonomous agent context, this makes accidental social-account manipulation materially more likely once the skill is available.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This workflow enables real state-changing actions on a user's X/Twitter account (like, unlike, follow, unfollow) through a relay service, but the description does not clearly warn that these are live account modifications. That omission can cause users or downstream agents to invoke the skill without appreciating that it will perform external, irreversible or reputation-affecting actions on their behalf.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The attachment flow states that local media files and post content are sent from the local workspace to an external AIsa relay backend, but the skill does not clearly surface this data transfer to the end user at the decision point. Users may reasonably assume local handling, so this omission can lead to unintended disclosure of sensitive images, videos, or post text to a third-party service.

Missing User Warnings

High
Confidence
100% confidence
Finding
This line directly serializes and prints the full AISA API key to stdout without masking or warning, creating a straightforward secret disclosure vulnerability. In an agent skill context, command output may be surfaced to users, logs, orchestration layers, or other tools, so the exposed key can be captured and abused beyond the intended session.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Printing a sensitive API key without warning or masking is a real secret-handling flaw, even if the output is otherwise expected by the caller. In agent and CLI contexts especially, stdout is commonly logged, persisted, or shown to end users, increasing the chance of accidental credential compromise.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal