ClawHub

AIsa Twitter Engagement Suite

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Twitter/X relay purpose, but it exposes the AIsa API key in command output during sensitive posting and authorization flows.

Review before installing. Use only an AIsa API key you can rotate, avoid sharing logs or transcripts from authorize/post commands until the key-output issue is fixed, and attach only media files you intentionally want sent through api.aisa.one and published to Twitter/X.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill requires an API key and performs relay-based Twitter operations, which implies environment and network access, yet it does not declare explicit permissions. This weakens transparency and consent boundaries for agents or users deciding whether to invoke the skill, increasing the risk of unintended outbound requests or use of sensitive credentials.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The description emphasizes search and approved engagement, but the referenced behavior extends to OAuth authorization, posting, media upload, and threaded/reply/quote workflows. That broader capability can materially change risk because it enables authenticated write actions and exfiltration of local content to a third-party relay, which may surprise users or policy engines relying on the description.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The authorize command includes config["aisa_api_key"] in the JSON it prints, directly exposing the bearer credential to stdout, logs, shells, and any calling orchestrator. In an agent/skill context, command output is often captured and persisted, making accidental secret exfiltration especially likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to transmit local workspace media files and post content to a third-party relay service (`api.aisa.one`) but does not disclose the privacy and data-sharing implications to the user. This is dangerous because users may assume attachments remain local or go directly to Twitter/X, when in fact sensitive workspace files and content are sent through an intermediary service authenticated with an API key.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The client forwards user-supplied queries, usernames, tweet IDs, and related identifiers to a third-party relay service without any visible disclosure, consent prompt, or minimization logic in the code. In an agent setting, users may assume local processing, so this creates a privacy and data-handling risk, especially for sensitive searches or monitored account lookups.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This client performs state-changing actions such as like, unlike, follow, and unfollow by sending identifiers and the API key to remote relay endpoints immediately after argument parsing, without any explicit confirmation, dry-run mode, or user-consent checkpoint in the code path. In an agent-skill context, that increases the risk of unintended social actions or coerced engagement if upstream prompting, account resolution, or agent orchestration is manipulated, even though the behavior appears to be intended functionality rather than overtly malicious.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal