ClawHub

Twitter Post AIsa

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says for Twitter/X posting and engagement, but it exposes the AIsa API key in normal command output and can make live account changes once invoked.

Install only if you intend to let AIsa read from and perform actions on a connected Twitter/X account. Treat AISA_API_KEY as sensitive, avoid running the OAuth client in logged or shared terminals until the key-output issue is fixed, rotate the key if it may already have been exposed, and review exact tweet text, media files, tweet IDs, and target accounts before allowing any post, like, follow, unfollow, or reply.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no explicit permissions while clearly requiring environment-variable access and network communication to a third-party API. This weakens transparency and reviewability, making it easier for users or orchestration frameworks to invoke a network-capable skill without understanding that secrets and outbound requests are involved.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior understates the apparent operational scope: search/discovery, unlike/unfollow, direct posting with media, and thread/quote chaining materially expand what the skill can do. Capability mismatch is dangerous because users may authorize a seemingly narrow engagement tool while the implementation can perform broader account actions and exfiltrate additional social graph/content data via the external service.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The post/publish path returns the full AIsa API key in user-visible JSON, which unnecessarily exposes a bearer secret to logs, terminals, wrappers, and any downstream automation capturing stdout. In this skill's context, the key likely authorizes broader AIsa relay actions than a single Twitter post, so disclosure can enable unauthorized API use and account abuse.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The authorize command prints the raw AIsa API key together with the authorization URL, turning a normal OAuth initiation flow into secret disclosure. Because authorization flows are commonly copied into tickets, chat, or logs, this greatly increases the chance of credential leakage and subsequent misuse of the AIsa account.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill enables live engagement actions on a real X/Twitter account but does not explicitly warn that these operations cause external, irreversible account-state changes such as likes, follows, and unfollows. In an agent workflow, that omission increases the chance of unintended actions or user surprise, especially when actions are inferred from prior context rather than a freshly supplied identifier.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The client performs state-changing social actions like like/unlike and follow/unfollow immediately once the command is invoked, with no built-in confirmation, dry-run preview, or secondary consent gate. In an agentic context, this increases the risk of unintended engagement caused by prompt injection, mis-resolution of a target account, or simple operator error, leading to unauthorized account activity and reputational harm.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Printing the AISA_API_KEY in CLI JSON responses is a direct secret-handling failure. Any shell history, CI logs, agent transcripts, or telemetry that records command output can capture the token, enabling unauthorized API calls and possible posting, authorization, or other actions through AIsa.

External Transmission

Medium
Category
Data Exfiltration
Content
- `AISA_API_KEY` is required for AIsa-backed API access.
- Use repo-relative `scripts/` paths from the shipped package.
- Twitter/X reads, OAuth requests, and user-approved media uploads use the fixed AIsa API endpoint `https://api.aisa.one/apis/v1/twitter`.
- Provide only `AISA_API_KEY`; do not use passwords, cookies, or browser credential export.

## Example Requests
Confidence
84% confidence
Finding
https://api.aisa.one/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal