ClawHub

twitter-aisa

Security checks across malware telemetry and agentic risk

Overview

This Twitter/X skill is mostly clear about its relay-based posting purpose, but its OAuth/posting script can print the user's AIsa API key in normal command output.

Review before installing. Use it only if you trust AIsa with Twitter/X searches, OAuth, post content, media files, and account posting authority. Avoid running the current authorize or post commands where output may be logged or shared until the raw aisa_api_key field is removed or redacted; rotate the key if it has already appeared in captured output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares that it requires an API key and explicitly routes requests to an external service, but it does not declare explicit permissions despite having environment-variable and network capabilities. This can weaken platform trust boundaries because users or orchestrators may not get a clear, machine-readable warning that the skill can read secrets and transmit data off-host.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The client includes the raw AIsa API key in JSON output for authorize/post flows, which can expose a bearer credential to terminals, logs, shell history capture, CI output, and downstream tools that record stdout. In this skill context, the script is specifically designed for OAuth-gated posting and account actions, so leaking the API key can let anyone with the captured output invoke the relay as the user and potentially authorize or publish on their behalf.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explains that local workspace files are passed to the client and uploaded through the relay backend to Twitter/X, but it does not clearly present this as a user-facing warning or consent checkpoint. In a posting skill that handles local attachments, this can lead to unintended exfiltration of local files to external services if the user or agent misunderstands what will be transmitted.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Printing the API key without warning is a real secret-handling flaw because command output is commonly captured by terminals, wrappers, log aggregators, screenshots, and chat transcripts. In an agent skill intended for research and approved posting workflows, stdout may be surfaced to orchestrators or users who do not need the credential, increasing the blast radius of accidental disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal