ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

X Topic Tweet

v1.0.9

Research a user-provided topic across the web and current social conversation, then publish one X post in the user's voice. Use when the user gives a topic,...

0· 94·0 current·0 all-time
byDishant Sharma@dishant0406
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's name/description match the instructions: research then publish one X post. It does not request unrelated credentials or binaries. One implicit dependency: it assumes access to an authenticated, openclaw-managed Chrome session able to publish on the user's X account — this is not declared as an environment/credential but is required to actually post.
Instruction Scope
The SKILL.md stays within the stated purpose (research, draft, open X, context pass, compose, post, verify, close tabs). It instructs the agent to read web and social posts and then to publish using the managed browser. This involves browsing potentially sensitive content in the user's session and performing actions as the user; that behavior is powerful and should only be allowed with explicit user consent. The frequent 'CRITICAL NON-NEGOTIABLE' rules (e.g., always use For You tab, never refresh) are unusual but do not by themselves indicate exfiltration or hidden actions.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is written to disk by the skill itself.
Credentials
The skill requests no environment variables or external credentials. However, to perform its task it implicitly requires an authenticated browser session for the user's X account (managed Chrome). Verify how the platform provides and isolates that session (tokens, cookies, audit logs). There are no unrelated secrets requested.
Persistence & Privilege
The skill does not request always:true or persistent system-wide privileges. It is user-invocable and not force-included. It does not ask to modify other skills or agent configuration.
Assessment
This skill is coherent for its stated purpose, but before installing: (1) Confirm how OpenClaw's managed Chrome supplies access to your logged-in X/Twitter session — ensure you understand where cookies/tokens live and whether the agent has permission to post as you. (2) Be aware the agent will browse social feeds and may view or copy publicly posted content while composing; review the drafted post before it is published. (3) The skill includes unusual fixed browsing rules (For You tab, no refresh) — ask the developer why that sequence is required. (4) If you want tighter control, require a manual approval step before publishing, or test the skill on a throwaway account first. (5) If you have concerns about accidental posting or account misuse, do not grant browser posting permissions and instead ask the agent to prepare a draft only.

Like a lobster shell, security has layers — review code before you run it.

latestvk9710p9n7w3a36hp0phv23a7fh84p07e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments