Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Twitter Automation Suite
v1.0.0Twitter/X 自动化运营套件。自动发推、监控关键词、批量回复、AI 生成推文内容。适合社交媒体运营、账号增长、竞品监控。
⭐ 0· 15·0 current·0 all-time
by@cjstate
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (Twitter automation) aligns with the provided post.js which uses puppeteer to log in and post. However package.json and SKILL.md list additional dependencies (playwright, twitter-api-v2, node-cron, OpenAI) and commands (monitor, reply, analyze) whose implementation files are missing. Registry metadata declares no required env vars while SKILL.md asks for TWITTER_USERNAME/PASSWORD/EMAIL and optional OPENAI_API_KEY. These mismatches suggest sloppy packaging or incomplete/changed code.
Instruction Scope
SKILL.md instructs installing several packages and storing account credentials in a .env; index.js enforces a .env file and spawns scripts. The post flow (post.js) reads TWITTER_USERNAME/PASSWORD/EMAIL via dotenv and automates browser login — coherent for browser-based automation. But SKILL.md promises monitoring, auto-reply and analysis features; index.js references monitor.js/auto-reply/analyze scripts that are not present in the bundle, so the instructions overpromise and the runtime behavior could differ if those files are added later.
Install Mechanism
There is no formal install spec; SKILL.md asks users to run npm install for listed packages. Dependencies are typical for browser automation (puppeteer, dotenv) though twitter-api-v2 and playwright are present but unused in the included code. No external URL downloads or archives are used. Installing heavy packages like puppeteer is expected but increases attack surface if packages are malicious or compromised.
Credentials
The skill requires direct Twitter credentials (username/password/email) per SKILL.md and post.js, but the registry metadata does not declare any required env vars — an incoherence. Requesting account credentials is proportionate to a puppeteer-based login approach but is sensitive: storing plaintext account passwords in .env and giving them to third-party code is risky. SKILL.md also asks for an OPENAI_API_KEY which is not used by the included scripts, another unexplained requested secret.
Persistence & Privilege
always is false and disable-model-invocation is default; the skill does not request elevated platform privileges. It spawns child processes and launches a browser (puppeteer) which is expected for this functionality but increases local resource usage. The bundle does not attempt to modify other skills or system-wide agent settings.
What to consider before installing
Proceed with caution. The post.js script does perform browser automation and needs your Twitter username/password in a .env — only use these credentials if you absolutely trust the source and prefer browser-driven automation over OAuth/API tokens. The package advertises monitoring/reply/analysis features but the corresponding scripts are missing; this indicates the package is incomplete or poorly maintained. Before installing: (1) prefer OAuth/API tokens (twitter-api) or app-specific credentials instead of your primary password; (2) inspect any missing scripts if the publisher supplies updates — they could change behavior; (3) run in an isolated environment or throwaway account if you want to test; (4) verify the package author and repository (there's no homepage/source) and ask the publisher why metadata doesn't declare required env vars and why some dependencies and scripts are unused. If you are unsure, do not supply primary account credentials.index.js:85
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97bsengqsd37bspxkd9byzqsh84nwfr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.