ClawHub

X Twitter Command Center (Search + Post + Interact)

Security checks across malware telemetry and agentic risk

Overview

This Twitter/X skill is coherent, but it should be reviewed because ordinary command output can expose the AISA API key while the skill can post, like, and follow from an account.

Install only if you are comfortable giving this skill authority to act on a Twitter/X account through AIsa. Use a limited and revocable AISA API key, avoid running status/authorize/post outputs in shared logs or transcripts until the key is redacted, and manually verify every post, media file, like, follow, and unfollow target before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares required environment variables and clearly performs outbound network requests, but the file does not declare explicit permissions for those capabilities. This creates a transparency and governance gap: users or hosts may not realize the skill can access secrets and transmit data to external services, increasing the chance of unintended data exposure or unsafe deployment.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file’s core behavior and guardrails say normal standalone posts should not send quote/reply relationship fields, but the agent instructions later say to default to `--type quote` for publishing. In a posting skill, that contradiction can systematically cause unintended quote tweets, alter the meaning/visibility of user content, and create incorrect or externally linked posts without the user’s informed intent.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The file-level documentation states the client is for read operations, but the shared request helper is explicitly capable of POST requests and automatically includes the API key in the JSON body. This mismatch is dangerous because it can mislead reviewers, users, or higher-level agents into granting the tool broader trust than its implementation warrants, increasing the risk of unintended state-changing actions or credential exposure if POST endpoints are later added or already reachable indirectly.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The comments and CLI framing present the tool as a read-only Twitter client, yet the transport layer supports generic POST requests. In an agent skill context, deceptive capability descriptions are security-relevant because orchestration systems or users may approve the skill under the assumption that it cannot mutate remote state, while the code retains latent write functionality.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The status command returns the configured AISA API key in cleartext, which is a sensitive credential unrelated to normal Twitter engagement functionality. Any user, downstream tool, log sink, or model response that invokes or summarizes this command could exfiltrate the key and enable unauthorized use of the relay or associated backend services.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The status command prints the raw AISA API key to stdout, which turns a diagnostic command into a credential disclosure channel. CLI output is commonly captured in shell history, logs, CI transcripts, terminal recordings, and agent tool traces, so exposing the bearer token can enable unauthorized use of the relay service and any Twitter actions it authorizes.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The authorize and publishing flows include the raw AISA API key in printed JSON results, disclosing a bearer credential during normal operation. Because this tool is meant for Twitter/X actions rather than secret management, users and calling agents would not expect sensitive credentials to be echoed back, increasing the chance of accidental leakage into logs or downstream systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes posting, liking, following, and other engagement actions but does not clearly warn that these operations change a user's Twitter/X account state and may create public, hard-to-reverse actions. In an autonomous agent context, missing consent and impact warnings increases the risk of unintended posts, follows, or interactions that can harm reputation or violate user expectations.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The installation section instructs users to export an API key but does not warn that the credential is sensitive and must not be committed, logged, or shared. This omission can lead to accidental credential exposure, especially in agent, shell-history, or screenshot-sharing workflows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The description advertises posting, liking, and following capabilities against a live Twitter/X account, but it does not prominently warn that the skill can make irreversible or externally visible account changes. In an agent setting, this can lead to accidental actions, reputation damage, or unwanted account activity if the user or orchestrator misunderstands the skill’s scope.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The attachment flow states that local workspace media is read by the client, sent to a relay backend, then uploaded to Twitter/X, but the skill does not prominently warn users that their post text and attachments leave the local environment and are transmitted to third-party services. In a social-posting skill handling user media, this omission creates a real privacy and data-handling risk because users may unknowingly expose sensitive files or content.

Missing User Warnings

High
Confidence
99% confidence
Finding
This is a true secret-disclosure issue: the command emits the full configured API key without masking or warning, making accidental leakage very likely in CLI output, agent transcripts, and telemetry. In an agent skill context, this is especially dangerous because status-style commands are commonly surfaced to users verbatim or summarized by the model.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code path returns the AISA API key inside the publish result object, which is then printed to stdout by the post command. Any local user, log collector, agent framework, or transcript system that captures command output can recover the token and reuse it to invoke the relay API, leading to account misuse or unauthorized posting operations.

Ssd 3

High
Confidence
99% confidence
Finding
The plain JSON output includes the raw API key, so the secret can be leaked through ordinary natural-language interaction, copy/paste, logging, or tool-result reflection by the agent. Because this skill is designed for user-facing social actions, exposing backend credentials materially expands impact beyond the intended OAuth-based Twitter operations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal