ClawHub

Twitter Command Center Search Post Interact

Security checks across malware telemetry and agentic risk

Overview

This Twitter/X skill mostly matches its stated purpose, but it exposes the configured API key in normal command output and can perform real posting and engagement actions.

Install only if you trust AIsa/api.aisa.one with Twitter/X account actions and can keep AISA_API_KEY out of logs. Avoid running status/authorize/post commands in shared terminals or recorded agent traces until the skill redacts the API key, and require explicit approval before posting, liking, unliking, following, unfollowing, or uploading local media.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares required environment variables and clearly relies on external API access, yet it does not declare permissions for env or network use. This weakens the trust boundary for users and orchestrators, because the skill can access secrets and make outbound requests without an explicit permission contract.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose frames the skill as research, monitoring, and approved posting, but the detected behavior includes additional account-modifying actions such as like/unlike and follow/unfollow, plus status output that may expose relay configuration including an API key. Hidden or under-disclosed engagement actions can lead to unauthorized social actions, and exposing configuration or secrets can directly compromise the connected account or backend service.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The instruction to default all publishing to `--type quote` directly contradicts earlier guidance that normal standalone posts should not include quote/reply relationship fields. This can cause the agent to change the semantics of a user's post, potentially requiring a quoted target or producing malformed/inaccurate posting behavior, which is especially risky in an autonomous posting skill where user intent must be preserved exactly.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The module is presented as a read-only Twitter client, but the shared request helper includes POST support and automatically inserts the API key into POST bodies. That mismatch is dangerous because downstream agents or reviewers may trust the client as non-mutating while hidden write-capable behavior exists, increasing the chance of unintended posting or credential exposure if POST paths are later added or invoked.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The docstring and CLI help repeatedly describe the tool as providing only read APIs, but the implementation contains a POST code path. In an agent-skill context, misleading capability descriptions weaken operator trust boundaries and can cause automation to invoke a tool under the false assumption that it cannot perform state-changing actions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The status command returns the configured AISA API key in cleartext JSON output. Exposing a live credential through a diagnostic command can leak the secret to users, logs, calling agents, or downstream tools, enabling unauthorized API access and potentially abuse of the Twitter relay or related services.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The help text says the command shows current relay engagement configuration, which understates that it also reveals a secret credential. This mismatch increases the chance an operator or agent will run the command in a normal support context and inadvertently disclose the API key in terminal history, transcripts, or logs.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The status command prints the full live AISA API key in normal output, which exposes a reusable secret to terminal logs, calling wrappers, transcripts, and other observers. In an agent skill context, command output is often captured or surfaced to users, so this creates a straightforward credential disclosure path that can enable unauthorized use of the relay service and any attached Twitter capabilities.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The authorize and post workflows return the active AISA API key in routine JSON output, unnecessarily disclosing a bearer credential during normal operation. Because these commands are likely invoked by an automation framework that records stdout, the secret can be harvested from logs or user-visible responses and then reused to perform authenticated actions against the relay.

Vague Triggers

Medium
Confidence
75% confidence
Finding
Broad activation language increases the chance the skill is invoked for loosely related social-media tasks without clear user intent, especially because the skill appears capable of networked and account-affecting actions. Over-broad triggering can cause unnecessary exposure of API-backed functionality and increase the risk of unintended engagement or data access.

Vague Triggers

Medium
Confidence
72% confidence
Finding
Ambiguous markdown usage criteria do not establish a precise activation boundary, which can cause the skill to be selected in contexts where the user did not clearly request Twitter/X operations. In a skill with external API access and potential account actions, ambiguous routing materially raises the chance of unintended execution.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This workflow enables account-affecting actions like likes, follows, and unfollows, but it does not clearly warn that these actions will be performed on the user's authenticated X/Twitter account. In an agent setting, lack of explicit execution-on-your-behalf disclosure increases the risk of unintended social actions, confused-deputy behavior, and user surprise when natural-language requests trigger real account changes.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The Quick Start instructs users to export an API key but provides no credential-handling guidance such as avoiding shell history leakage, shared terminals, logs, or repository commits. In operational environments, this omission can lead to accidental exposure of the AISA_API_KEY, which could allow unauthorized use of the relay-backed Twitter actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly instructs the agent to transmit local workspace media files and post content to external services, but it does not require a clear disclosure or confirmation that local files will leave the workspace and be uploaded to AIsa/Twitter. In a skill designed for autonomous posting, this increases the risk of unintended exfiltration of sensitive workspace content or accidental public disclosure.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The command emits the API key without masking or warning, making accidental disclosure very likely in interactive use, automation output capture, CI logs, agent traces, or chat responses. In this skill context, the danger is elevated because the tool is explicitly designed for agent-driven research and engagement workflows, where stdout is commonly propagated across multiple systems.

Missing User Warnings

High
Confidence
99% confidence
Finding
This finding is a concrete secret-exposure issue: a sensitive API key is emitted to user-visible output without masking, warnings, or any operational need. Bearer tokens generally grant direct access on possession, so exposing them in output materially increases the chance of credential theft through console history, telemetry, agent traces, or shared logs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal