Skillv1.4.1

ClawScan security

twit-mcp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 3:24 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package appears to implement the advertised X/Twitter micropayment gateway and legitimately requires a wallet private key, but it stores Twitter credentials unencrypted and grants an autonomous agent the ability to sign on-chain payments from that key — risks that users should understand before installing.
Guidance: This skill is internally consistent with its description, but it requires you to provide a full wallet private key and will sign small USDC payments automatically. Before installing: (1) Use a dedicated wallet with only minimal funds (do not use a main wallet). (2) Review the npm package provenance (who maintains twit-mcp / twit.sh) and prefer installing from a trusted source. (3) Be aware Twitter credentials are saved unencrypted to ~/.twit-mcp-credentials.json — treat that file as sensitive or run the MCP in an isolated environment. (4) Consider running the MCP in a sandbox, review the source code yourself (or have a reviewer) if you plan to put non-trivial funds behind the private key, and monitor wallet activity closely after enablement.

Review Dimensions

Purpose & Capability: okName/description (twit-mcp, x402 micropayments, read/write X data) match the code and dependencies: it calls an x402 API, signs payments locally with an EVM private key, and exposes read/write tools. Requiring npx and a WALLET_PRIVATE_KEY is coherent with the stated payment-based design.
Instruction Scope: noteSKILL.md and code direct the agent to open a browser (Playwright) to connect a Twitter/X account and save credentials locally. Tool calls all go through API_BASE (default https://x402.twit.sh) and payment is handled locally. The instructions explicitly save Twitter auth tokens to ~/.twit-mcp-credentials.json (plaintext), which is functional but exposes sensitive credentials on disk.
Install Mechanism: noteInstall uses an npm package (twit-mcp) and exposes a twit-mcp binary — expected for a Node-based MCP. npm installs are a moderate-risk mechanism (supply-chain risk) but consistent with the package manifest; no remote ad-hoc downloads or obfuscated fetches are present in the bundle.
Credentials: concernOnly WALLET_PRIVATE_KEY is required (declared as primary credential), which is necessary for the x402 payment signing behavior — so the request for a private key is proportionate to the payment feature. However, that key is highly sensitive: the skill can sign on-chain payments from it. The skill also reads optional TWITTER_AUTH_TOKEN / TWITTER_CT0 environment variables and stores Twitter credentials to disk unencrypted, increasing exposure.
Persistence & Privilege: concernalways:false (good). But normal autonomous invocation (disable-model-invocation:false) combined with a private key that can sign USDC payments increases the blast radius: an agent could call many paid endpoints and drain funds without additional user confirmation. The skill writes credentials to ~/.twit-mcp-credentials.json (persistent, plaintext) but does not appear to modify other skills or global agent configuration.