ClawHub

Twitter Command Center Search Post

Security checks across malware telemetry and agentic risk

Overview

The skill matches its Twitter/X search-and-posting purpose, but it exposes the AISA API key in normal command output and sends post content/media through a relay, so it needs review before installation.

Review before installing. Use only a dedicated, limited AISA_API_KEY, assume tweet text and attached files will leave your machine for AIsa and X/Twitter, and avoid running status/authorize/post in logged environments until the raw-key output is fixed. Rotate the key if any command output has already been captured.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares required environment variables and describes API-backed Twitter search/posting, which implies network access and secret use, but it does not declare permissions explicitly. This creates a transparency and policy-enforcement gap: a host may allow the skill to run without clearly signaling that it can access secrets and make outbound requests, including posting actions tied to OAuth workflows.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The instruction to default all publishing to `--type quote` directly contradicts earlier guidance that standalone posts should not send quote/reply relationship fields and that quote mode should only be used when the user explicitly wants to quote another tweet. This can cause the agent to alter user intent, produce malformed or incomplete quote posts, and accidentally include relationship metadata that changes how content is published.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file is presented as a read-only Twitter client, but the shared request layer accepts POST and automatically injects the bearer credential into the JSON body. That creates an unnecessary capability mismatch: future code paths or downstream callers could perform state-changing actions and expose the API key to the remote service in an extra channel beyond the Authorization header.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation and CLI framing claim read-only behavior, while the implementation keeps a generic POST-capable transport. In agent settings, this kind of hidden capability is dangerous because orchestration layers or later edits may rely on the safety claim and expose the module in contexts where only non-mutating operations were approved.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The status command prints the raw AISA API key to stdout, which can be captured by logs, terminals, CI systems, shell history workflows, or downstream tools. Exposing a bearer credential is not necessary for Twitter status reporting and can enable unauthorized use of the relay service and any actions permitted by that key, including posting content or accessing connected account functions.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The authorize/post flows include the raw AISA API key in their JSON output, causing secret exposure during normal operation. Because this tool is likely to be used in agent pipelines, shells, and logging environments, the leaked bearer token may be stored or forwarded unintentionally and then reused by an attacker.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The posting/threading implementation returns result objects that explicitly include the bearer credential, creating a reusable secret disclosure channel inside a normal workflow path. In the context of a Twitter command-center skill, emitting credentials is unrelated to the advertised function and substantially increases the chance of credential theft through logs or tool output capture.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explains that local media and post content are sent to an external relay backend and then to Twitter/X, but it does not clearly warn users up front that their attachments and text leave the local environment. In an agent setting, this can lead to unintended disclosure of sensitive workspace files, draft content, or regulated data to third-party services.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal