Skillv1.0.0

ClawScan security

xfetch · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 12:16 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match a Twitter-scraping tool, but it instructs accessing sensitive browser cookies/profiles and implies installing an npm package from an unknown source without an install spec, which raises privacy and supply-chain concerns.
Guidance: This SKILL.md is coherent with a cookie-based X/Twitter scraper, but it requires reading browser cookies/profiles (sensitive) and implies using an npm package (@lxgic/xfetch) from an unknown source. Before installing or using it: 1) Confirm where the 'xfetch' binary would come from and review the npm package source and maintainer; 2) Consider the privacy risk of allowing access to your browser profile/cookies and DMs — don't run it on machines with sensitive accounts; 3) Prefer using official APIs with scoped credentials where possible; 4) If you must run it, do so in an isolated environment (VM/container) and inspect where it stores auth tokens and any downloaded code; 5) Be aware this may violate X/Twitter terms of service and could expose private messages and tokens if misused.

Review Dimensions

Purpose & Capability: okThe name/description state the tool fetches X/Twitter data and the SKILL.md describes exactly that (tweets, profiles, DMs, notifications, exports). The requested capabilities (cookie-based auth, pagination, output formats) are coherent with a scraper CLI.
Instruction Scope: concernThe SKILL.md explicitly instructs extracting cookies from the user's browser (chrome/firefox/safari/arc/brave and specific profiles), setting auth tokens, reading/writing cursor state and output DB/files, and accessing DMs and bookmarks. Those actions require reading local browser profile data and writing local files — sensitive operations not declared elsewhere. The instructions also allow proxy URLs with credentials and proxy-file rotation, which could cause credential handling/storage concerns.
Install Mechanism: noteThere is no install spec (instruction-only), which is low risk by itself, but the markdown references running the CLI via 'npx @lxgic/xfetch' / 'bunx @lxgic/xfetch' and says it's installed globally as 'xfetch'. That implies runtime downloading/executing an npm package from an external registry (supply-chain risk). The skill does not supply a vetted install source or verify package integrity.
Credentials: concernrequires.env is empty, but the instructions require access to local browser cookies/profiles and accept proxy URLs (which can include credentials). The skill can store auth tokens and output files. These are highly sensitive capabilities relative to the simple 'fetch tweets' description and should be explicitly declared and justified.
Persistence & Privilege: okThe skill is not marked 'always:true' and is user-invocable; it does instruct saving and clearing its own auth state but does not request persistent platform privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with an 'always' flag.