ClawHub

Twitter Post AIsa

Security checks across malware telemetry and agentic risk

Overview

This Twitter/X skill largely does what it says, but it exposes the AIsa API key in normal command output and can immediately perform public account actions once invoked.

Install only if you trust AIsa to relay your Twitter/X reads, posts, engagement actions, and selected media files. Avoid pasting command output into chats, tickets, or logs because this version can print the raw AISA_API_KEY; rotate the key if it has already been exposed. Confirm the exact account, tweet, text, and media path before every post, like, follow, unlike, or unfollow action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill requires an API key and communicates with a remote service, but it does not explicitly declare permissions for environment-variable access and network use. This weakens transparency and consent boundaries: a user or host framework may not realize the skill can exfiltrate prompts, targets, attached content, or metadata to an external API. In a security-sensitive agent environment, undeclared capabilities are a real risk even if the functionality is expected.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The declared purpose is limited to engagement workflows, but the underlying behavior reportedly includes broader surveillance and discovery features such as trending topics, lists, communities, spaces, verified followers, retweeters, and batch user lookups. That mismatch is dangerous because users and policy engines may authorize the skill for a narrow purpose while it can collect significantly more social-graph and behavioral data than advertised. Hidden capability expansion increases the chance of privacy violations, profiling, or misuse of the granted API access.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script prints the raw AIsa API key in command output for authorize/post results and status-style responses, which unnecessarily exposes a bearer credential to terminals, logs, shell history capture, CI logs, or downstream tooling. Because this key authorizes remote actions through the AIsa API, disclosure can enable unauthorized posting or account actions beyond the immediate user session.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly instructs the agent to send local workspace media files to a third-party relay backend (`api.aisa.one`) for upload and posting, but it does not require an explicit user-facing disclosure or confirmation at the point of transfer. This creates a real privacy and data-handling risk because local files may contain sensitive content or metadata, and users may not realize the files leave the local environment before publication.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This client performs state-changing social actions (like, unlike, follow, unfollow) immediately once the command is invoked, with no second-step confirmation, dry-run mode, or policy gate at the point of execution. In an agent setting, that increases the risk of accidental or prompt-induced actions on the wrong tweet/account, causing unintended account activity, reputational harm, or abuse of the user's authenticated session.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal