ClawHub

Twitter Cli

Security checks across malware telemetry and agentic risk

Overview

This Twitter/X skill is functional and mostly disclosed, but it asks for or auto-reads highly sensitive session cookies and can perform account-changing actions with limited safeguards.

Install only if you are comfortable giving an agent access to your active Twitter/X session. Do not paste full Cookie headers into chat or public issues. Prefer a dedicated browser profile or throwaway account, review every write action before allowing it, and avoid using this on accounts where unintended posts, follows, likes, or cookie exposure would be serious.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly uses sensitive capabilities including shell execution, network access, environment variables, and file I/O, but does not declare permissions or constraints. This weakens reviewability and consent because an agent may invoke powerful operations without an explicit capability boundary, which is especially risky in a skill that handles authentication material and performs external actions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The workflow explicitly sets NODE_TLS_REJECT_UNAUTHORIZED=0, which disables TLS certificate validation for outbound HTTPS requests during publication. This allows a machine-in-the-middle attacker to impersonate the registry endpoint, intercept the bearer token, and tamper with the uploaded package contents or server responses.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The README advertises anti-detection measures, full browser-cookie forwarding, TLS fingerprint impersonation, and randomized delays to avoid platform detection. In an agent skill, this materially increases risk because it encourages credential harvesting from local browsers and stealthy use of a user's Twitter session outside normal consent boundaries.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Automatically extracting cookies from multiple local browsers and forwarding all Twitter cookies exceeds the minimum needed for a normal Twitter client. In a skill context, this exposes highly sensitive session material from the host machine and can enable account takeover or abuse if mishandled, logged, or reused.

Context-Inappropriate Capability

Low
Confidence
91% confidence
Finding
A diagnostic command that reports OS, browser detection, Keychain status, and cookie extraction results gathers sensitive host reconnaissance beyond ordinary Twitter actions. In an agent workflow, users may paste this output into tickets or chats, unintentionally disclosing credential-related or environment-sensitive information.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The skill contradicts its own safety guidance by instructing the agent to ask the user to paste a full Cookie header into chat, which can expose live session credentials in conversation logs, telemetry, or downstream tooling. Those cookies may allow account takeover or unauthorized actions if retained or intercepted.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This file is designed to read and decrypt Twitter/X cookies directly from local browsers, including accessing macOS Keychain and Linux keyrings, then use them for authentication. That is a sensitive credential-access capability far beyond ordinary Twitter operations and creates a serious risk of unauthorized account takeover or misuse if the skill runs without explicit, informed consent.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code spawns subprocesses specifically to harvest browser cookies and even provisions extra tooling via 'uv run --with browser-cookie3' if unavailable. Dynamically invoking auxiliary tooling to access local credentials expands the attack surface and exceeds the narrow capability users would expect from a Twitter interaction skill.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The code explicitly aggregates and forwards all Twitter-related browser cookies to emulate a 'full browser fingerprint,' not merely the minimum auth values needed. In the context of a Twitter CLI skill, this mismatch between stated purpose and actual capability materially increases the danger because users are unlikely to expect broad browser credential harvesting.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The doctor command goes beyond normal Twitter operations and performs host-side diagnostics, including environment inspection, cookie extraction paths, and authentication verification. In an agent skill context, this expands the tool's authority to probe local auth state and system details that a user may not expect to be exposed or emitted in structured output.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This section reads local environment state such as SSH indicators and Twitter auth-related variables, which is outside the expected scope of ordinary Twitter read/write actions. In an agent setting, such host introspection can leak operational context and reveal whether credentials are present, enabling reconnaissance for follow-on abuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The bug template explicitly asks users to paste `twitter doctor` output to diagnose cookie and authentication issues, but it provides no warning to review and redact secrets before submitting a public issue. In a Twitter/X CLI context, diagnostic and verbose logs may contain cookies, auth tokens, usernames, headers, filesystem paths, or other sensitive session material, creating a realistic risk of credential leakage and account compromise.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The workflow suppresses certificate verification with only an inline comment as justification, meaning the insecure behavior can silently persist in automation. In CI, this is particularly dangerous because secrets are present and network trust is assumed; an attacker on the path can capture the token or alter the published artifact without detection.

Vague Triggers

High
Confidence
93% confidence
Finding
The manifest says to use this skill for ALL Twitter/X operations, which is overly broad and encourages automatic invocation for both read and write actions. In context, this is more dangerous because the skill can authenticate using browser cookies and perform account-affecting actions like posting, liking, following, and deleting.

Missing User Warnings

High
Confidence
98% confidence
Finding
The instructions actively guide the agent to solicit and process raw Twitter authentication secrets, including extracting tokens from a full cookie string, without sufficient up-front risk framing or secure handling guarantees. This creates a direct path for credential leakage and misuse, particularly in an agent setting where chat transcripts and command history may persist.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The browser extraction path accesses sensitive authentication material from local browser stores without any visible user-facing warning, confirmation, or consent mechanism in this code path. Silent collection of local session cookies is dangerous because it can surprise users and convert an ordinary skill invocation into credential access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This verification logic transmits authentication cookies to remote Twitter/X endpoints automatically, again without any explicit user-facing notice in the flow shown. Sending session cookies off-host, even to the intended service, is a sensitive action that should be transparent and consensual because it can validate and operationalize stolen or unexpectedly harvested credentials.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The doctor command inspects authentication sources and emits diagnostics without a prominent warning that sensitive auth state and local environment details may be examined and returned. Even if raw secrets are not printed here, presence/absence, profile overrides, and cookie-validation results can disclose valuable information to an untrusted caller or prompt-injected workflow.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This client automatically sends active Twitter session credentials in the Cookie and CSRF headers on every authenticated request, enabling account-scoped actions without any user-visible notice, consent checkpoint, or limitation in this layer. In an agent skill context, that increases the risk of silent credential use and unintended account access if higher layers invoke these methods on the user's behalf.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file exposes multiple state-changing methods—posting, deleting, liking, retweeting, bookmarking, following, and unfollowing—that execute immediately once called, with no confirmation, dry-run mode, policy guardrails, or user-intent verification. In an agent-integrated Twitter skill that is meant to handle all Twitter/X operations, this is especially dangerous because a prompt misunderstanding, prompt injection, or malicious task could directly trigger irreversible or reputation-impacting actions on a user's account.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly tells the agent to have the user send a full Twitter cookie string in chat, exposing highly sensitive session material through natural-language interaction. In this skill's context, that is especially dangerous because the same skill can immediately use those credentials to perform high-impact actions on the user's account.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal