ClawHub

twit-mcp

Security checks across malware telemetry and agentic risk

Overview

This skill is usable for its stated Twitter/X purpose, but it gives an agent paid wallet access and broad control of a connected account while storing and sending live session cookies.

Install only if you intentionally want an agent to spend USDC from a dedicated low-balance Base wallet and operate a connected Twitter/X account. Keep approvals enabled for every write or delete action, avoid using a primary account or shared machine, and disconnect or revoke the session after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill requires access to a highly sensitive environment variable, `WALLET_PRIVATE_KEY`, but does not declare explicit permissions beyond metadata requirements. That creates a transparency and consent gap: an agent or user may not appreciate that the skill can directly spend funds by signing payments with a wallet key. In this context, undeclared secret access is security-relevant because the skill's core behavior includes automated micropayments.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The public description emphasizes Twitter access via micropayments without API keys, but the documented behavior also includes browser-based login, credential capture/storage, and destructive account actions like delete, unfollow, and unretweet. This mismatch is dangerous because users may authorize the skill expecting read-oriented access while it can obtain persistent social-media credentials and perform high-impact write actions. The combination of payment authority plus account-session handling makes the understated behavior materially riskier.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The type definitions expose a local credential persistence mechanism for Twitter session secrets (`authToken` and `ct0`) even though the skill advertises no-auth, no-API-key access via micropayments. Persisting reusable session tokens on disk increases the blast radius of local compromise, accidental leakage, or misuse by other components, and the mismatch between the advertised model and actual behavior is a trust and security concern.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill metadata advertises posting, liking, retweeting, bookmarking, and following, but the implementation also supports destructive actions such as unlike, unretweet, unfollow, unbookmark, and delete_tweet. That mismatch can cause users or orchestrators to authorize the skill under an incomplete understanding of its capabilities, increasing the chance of unintended account-impacting actions.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The server description presents the skill as providing real-time X/Twitter data, but the code also implements account connection and numerous state-changing actions. This understates the privilege and risk of the skill, which is dangerous in agent settings where users or policy layers rely on descriptions to assess trust and approval requirements.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The server advertises itself primarily as a read-only real-time X/Twitter data tool, but the implementation also exposes many state-changing actions such as posting, deleting, liking, retweeting, following, and credential-management flows. This capability mismatch is dangerous because agents or users may grant trust under false assumptions and then invoke destructive or account-modifying operations without informed consent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code includes a delete_tweet tool that performs irreversible account changes, yet this destructive behavior is not disclosed in the stated skill description. Hidden destructive capabilities increase the risk of accidental or unauthorized use by an agent operating under the assumption that the skill is limited to data retrieval and routine engagement actions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README uses broad natural-language activation phrases like 'connect my Twitter' or 'connect my X' to trigger an account-linking flow that opens a browser and stores credentials. In an agent setting, vague phrases can be invoked unintentionally or via prompt injection/social engineering, causing an external auth flow and persistent account linkage without sufficiently explicit user intent verification.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises write and destructive actions such as post, delete, like, bookmark, retweet, follow, and unfollow, but the README does not state that agents must obtain explicit confirmation before executing them. In an autonomous or semi-autonomous agent context, this increases the risk of accidental social actions, reputational harm, and irreversible user-account changes triggered by ambiguous requests or prompt injection.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README discloses that Twitter credentials are stored locally in a predictable file path but does not warn about filesystem permissions, encryption, or the sensitivity of those stored tokens. This normalization of local secret storage without safeguards can lead to credential theft by local malware, other users on the system, backups, or overly permissive file permissions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill states that Twitter credentials are saved locally to `~/.twit-mcp-credentials.json` but gives no warning about theft, local compromise, filesystem permissions, or session persistence. Storing reusable social-media session material on disk without documented safeguards increases the risk of account takeover if the host or home directory is exposed. In this skill, that danger is amplified because the stored credentials enable immediate write actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The post_tweet flow sends Twitter session credentials (auth_token and ct0) to a remote third-party API so that the service can act on the user's behalf. Forwarding live session cookies off-device materially increases account takeover risk if the service, logs, or intermediaries are compromised, and the danger is amplified here because the skill performs authenticated write actions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill places sensitive Twitter credentials into URL query parameters for authenticated actions such as retweet/like/follow/bookmark operations. Query parameters are commonly exposed in logs, proxies, browser history, tracing systems, and server access logs, making credential leakage more likely than if they were sent in protected headers or request bodies.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill requires a wallet private key and automatically wraps all API requests with a payment client, but it does not provide a clear user-facing warning at point of use that invoking tools can spend USDC. In an agent context, hidden financial side effects are risky because even read operations become paid actions and may be triggered repeatedly or unexpectedly.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code persists Twitter session credentials in plaintext to a predictable file in the user's home directory with no permission hardening, encryption, or secure storage mechanism. On multi-user systems, shared environments, backups, malware, or other local processes could recover these tokens and use them to act as the victim account, which is especially dangerous here because the skill supports write actions like posting, liking, retweeting, bookmarking, and following.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The post_tweet flow transmits Twitter session credentials (auth_token and ct0) to a third-party remote API so it can act on behalf of the user. Sending live session cookies off-box effectively delegates full account session power to that service, and there is no runtime consent or warning at the moment of use to ensure the user understands the trust boundary.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code places stored Twitter session credentials into URL query parameters for remote requests. Query strings are commonly logged by servers, proxies, observability tooling, browser/network instrumentation, and error traces, which substantially increases the chance of credential leakage and account takeover.

Missing User Warnings

High
Confidence
99% confidence
Finding
The follow_user action sends auth_token and ct0 to the remote API via query parameters without user confirmation. Because these are session credentials, compromise or logging of the request can enable broader unauthorized access than just the follow operation, including full account actions available to that session.

Missing User Warnings

High
Confidence
99% confidence
Finding
The unfollow flow has the same unsafe design: session credentials are embedded in the request URL and sent to a remote service without an explicit warning or consent checkpoint. This exposes sensitive credentials to logs and intermediaries while also enabling silent account modification through an under-disclosed write-capable skill.

Missing User Warnings

High
Confidence
98% confidence
Finding
Bookmark and similar endpoints transmit stored Twitter credentials in URL query strings, creating repeated opportunities for leakage through logging and monitoring systems. Since the same credential pattern is reused across multiple write actions, the attack surface is broad and any leak could result in session hijacking and arbitrary account activity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The login flow harvests Twitter session cookies from the browser and persists them locally for later automated use, but it does not ask for explicit confirmation before storing these powerful credentials. Persisting long-lived session material increases exposure to local compromise, malware, accidental disclosure, or reuse by other tools running with the same user privileges.

Credential Access

High
Category
Privilege Escalation
Content
1. Call `connect_twitter` — a Chrome window will open at x.com
2. The user logs in if prompted
3. Once confirmed, credentials are saved locally to `~/.twit-mcp-credentials.json`
4. Write actions are available immediately — no restart needed

If a write action is requested and no account is connected, call `connect_twitter` first and wait for confirmation before proceeding.
Confidence
94% confidence
Finding
credentials.json

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal