ClawHub

X Twitter Command Center (Search + Post)

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Twitter/X search-and-post purpose, but its posting client exposes the full AISA API key in normal command output.

Review before installing. Use this only if you trust AIsa with Twitter/X searches, posting workflows, and selected local media uploads. Avoid running the status, authorize, or post commands in shared logs, CI, screenshots, or transcripts until the client is patched to redact the AISA API key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill implementation is limited to OAuth posting, but the metadata advertises broad search/read capabilities across X/Twitter. This mismatch can cause an orchestrator or user to route unrelated tasks to the skill, leading to overtrust, incorrect execution paths, and unintended data handling assumptions. In a security-sensitive agent environment, deceptive or overstated capability descriptions are dangerous because they expand the apparent trust boundary beyond what the file actually implements.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The agent instructions say to default to `--type quote` for publishing, which directly contradicts the core behavior and guardrails that say normal standalone posts should not send quote/reply relationship fields and quote-posting requires an explicit target URL. This can cause unintended disclosure of relationship metadata, malformed posting behavior, or accidental quoting logic for ordinary posts, making the skill behave contrary to user intent.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The client includes the AISA API key in user-visible JSON output for both authorization/status flows and also returns it in publish result objects. Exposing bearer credentials to stdout is dangerous because shell history, logs, CI output, screenshots, or downstream tools can capture the key, enabling unauthorized use of the relay service and potentially account actions through it.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly advertises the ability to write and post text and media to Twitter/X, but it does not clearly warn that these actions publish to a live external account and can change the user's public presence. In an autonomous-agent context, missing disclosure increases the risk of accidental or unauthorized-looking posts, reputational harm, and unintended publication of sensitive or incorrect content.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill description is broad enough to trigger for generic social-listening or Twitter-related requests, which can cause unnecessary third-party API calls and transmission of user queries or monitored targets. In agent settings, over-broad routing increases the chance of accidental data disclosure or use of external services without clear user intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The description does not clearly warn that user queries, monitored handles, tweet IDs, and potentially account-related workflow data are sent to the third-party service `api.aisa.one`. Lack of disclosure undermines informed consent and can expose sensitive business intelligence, monitoring targets, or user intent to an external processor.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The attachment flow states that local workspace files and post content are sent to an external relay backend and then to Twitter/X, but the skill description does not clearly warn the user about this external transmission. Users may provide sensitive local media or text under the mistaken assumption that processing is local or confined to OAuth-mediated posting. This is especially relevant because the skill handles workspace file paths and uploads file contents off-box.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Echoing a sensitive API key to the console is a direct secret-handling flaw. In this skill context, the script is intended for local OAuth/posting workflows where output is likely consumed by users, agents, wrappers, and logs, so the exposed token can be unintentionally retained and reused.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
def __init__(self, api_key: Optional[str] = None):
        """Initialize the client with an API key."""
        self.api_key = api_key or os.environ.get("AISA_API_KEY")
        if not self.api_key:
            raise ValueError(
                "AISA_API_KEY is required. Set it via environment variable or pass to constructor."
Confidence
93% confidence
Finding
os.environ.get("AISA_API_KEY

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal