Skillv1.0.0

ClawScan security

AI Twitter Daily · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 7:05 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims to produce a daily AI Twitter/X report but its manifest omits required credentials and the script relies on an external Grok-style API (defaulting to an untrusted domain) rather than actually fetching tweets — the pieces don't fully add up and could leak an API key or monitored account list.
Guidance: This skill is inconsistent: the code sends a prompt including your monitored accounts to whichever GROK_API_URL you configure (defaulting to a suspicious third-party domain) and expects the LLM to 'know' the last 24 hours of tweets rather than actually fetching them from Twitter. Before installing or running: 1) do not put a sensitive API key into an untrusted GROK_API_URL — prefer an official provider endpoint or remove the URL so it uses a trusted host; 2) be aware the monitored account list and prompt will be transmitted to that API host; 3) the skill does not get real tweet data unless the LLM endpoint has live web access — consider implementing Twitter API fetching (with explicit Twitter credentials) if you need accurate recent activity; 4) ensure Python 'requests' is installed; 5) if you cannot verify the GROK_API_URL operator (cheaprouter.club), avoid supplying credentials and treat this skill as untrusted. If the author can (a) declare GROK_API_KEY in the manifest, (b) use a trustworthy API URL (or document that you must use the official Grok/OpenAI/Anthropic endpoint), and (c) actually fetch tweets via a justified mechanism (Twitter API or a documented, trusted feed), the concerns would be largely resolved.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose is to generate daily reports from Twitter/X activity. The included script does not call the Twitter API or scrape X; instead it sends a prompt (which lists monitored accounts) to an LLM endpoint and asks the model to 'query the past 24 hours'. That is not sufficient to obtain live tweet data unless the configured LLM endpoint has external browsing/tweet access. Also the skill metadata declares no required env vars, but runtime instructions and the script require GROK_API_KEY (and optional GROK_API_URL/MODEL). This mismatch between manifest and runtime is incoherent.
Instruction Scope: concernSKILL.md and README instruct the user to set GROK_API_KEY and optionally GROK_API_URL and GROK_MODEL. The runtime prompt embeds the full list of monitored users and asks the LLM to summarize the past 24 hours. The script never fetches tweets itself, so it relies entirely on the LLM having live access — an unrealistic assumption. The prompt containing the list of accounts and the request for recent activity will be transmitted to the configured API endpoint, which is a privacy/credential exposure risk if the endpoint is untrusted.
Install Mechanism: noteNo install spec (instruction-only with a Python script). This is low-risk in terms of automatic package downloads. However, the script depends on the 'requests' Python package but does not declare or install it; users will need to ensure dependencies are present. No external archives or unknown installers are used.
Credentials: concernAsking for a single API key (GROK_API_KEY) is proportionate for calling an LLM service — but the skill manifest lists no required env vars, creating inconsistency. More importantly, the SKILL.md defaults GROK_API_URL to https://api.cheaprouter.club/v1/chat/completions (an untrusted/non-official domain). Pointing users to a third-party router/proxy for their API key is a potential credential-exfiltration vector: the key and the prompt (including monitored account list) would be sent to that host. No Twitter credentials are requested despite claiming to report on recent tweets.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges. It does not modify other skills or system configurations. Autonomous invocation is allowed (platform default) but that, on its own, is normal and not a red flag here.