ClawHub
Back to skill

Security audit

Tweet Summarizer Lite

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to fetch and summarize tweets, but it uses sensitive Twitter session cookies and stores data in paths that do not match its declared permissions.

Review before installing. Only use this with a Twitter/X account whose session cookies you are comfortable exposing to the skill and the bird CLI. Be aware that fetched tweets are stored locally under tweets-lite despite documentation naming tweets, and check or delete that workspace data if tweets may reveal private research, protected-account content, or sensitive interests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

Lp1

High
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The script reads a config file from the user's home directory, which is file-read capability beyond the manifest's stated write-only tweet directory access. While reading its own config is common, it is still an undeclared capability and weakens permission accuracy, which can hide broader file access than users expect.

Lp1

High
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The script reads a config file from the user's home directory, which is file-read capability beyond the manifest's stated write-only tweet directory access. While reading its own config is common, it is still an undeclared capability and weakens permission accuracy, which can hide broader file access than users expect.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The credential-checking function explicitly expects Twitter session secrets and coaches the user to obtain them from browser cookies. For a lightweight tweet summarizer, handling raw session tokens materially increases the skill's sensitivity and creates risk of account takeover if those values are exposed, logged, or reused elsewhere.

Scope Creep

High
Confidence
95% confidence
Finding
The code accesses AUTH_TOKEN and CT0 from the environment even though the manifest only declares network access via bird CLI and limited filesystem writes. This mismatch is dangerous because it bypasses the expected trust boundary: a user may permit bird CLI network use without realizing the skill can directly inspect high-value session credentials from the process environment.

Scope Creep

Medium
Confidence
84% confidence
Finding
The code reads from ~/.openclaw/workspace/data/tweets-lite, while the manifest declares filesystem access only for ~/.openclaw/workspace/data/tweets/. That mismatch means the skill accesses data outside its disclosed storage location, undermining least-privilege expectations and potentially exposing or relying on undeclared data stores. In this skill context, hidden or alternate tweet storage is more concerning because tweet content may contain sensitive browsing or research history.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The skill metadata declares filesystem access to ~/.openclaw/workspace/data/tweets/, but the code reads from ~/.openclaw/workspace/data/tweets-lite/index.json instead. This mismatch breaks the permission boundary expected by reviewers and users, and can cause the skill to read data from an undeclared location, undermining trust and potentially exposing unintended local data if that alternate directory is populated.

Scope Creep

High
Confidence
97% confidence
Finding
The code accesses Path.home() / '.openclaw' / 'workspace' / 'data' / 'tweets-lite', which is outside the manifest-declared allowed directory. Even though this specific path is still under the workspace tree, it is an undeclared filesystem target and therefore expands the skill's effective access beyond what was authorized, creating a path-confusion issue and weakening sandbox/policy assumptions.

Scope Creep

High
Confidence
99% confidence
Finding
The manifest says the skill may write to `~/.openclaw/workspace/data/tweets/`, but the code actually writes to `~/.openclaw/workspace/data/tweets-lite/`. Writing outside the declared path violates the permission boundary and can undermine sandboxing, auditing, and user expectations about where fetched data is stored.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README encourages very broad, natural-language triggers such as "Grab this tweet and save it" and "Summarize that tweet I saved earlier," which can overlap with normal conversation and make the skill activate unintentionally. In this skill's context, unintended activation is more dangerous because it has network access to X/Twitter via authenticated session cookies and writes fetched content to local storage, so accidental invocation can leak browsing intent, fetch untrusted content, and persist data without clear user intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The description markets the skill as "simple and lightweight" but does not clearly warn users up front that tweet contents are persisted locally. In this skill's context, the omission matters because saved tweets may contain sensitive searches, political interests, account associations, or other user activity metadata, and the skill also uses authenticated Twitter session cookies to retrieve data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill writes fetched tweet content to local storage, but the description and usage guidance do not clearly warn users that content will be persisted. This can create privacy and data-retention risk, especially if users expect a one-time lookup rather than durable storage of potentially sensitive or identifying content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to obtain `AUTH_TOKEN` and `CT0` from browser cookies without a prominent warning that these are sensitive session credentials. Exposing or mishandling such cookies could enable account access or unauthorized API activity, making the guidance security-sensitive even if intended for setup.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The fetch trigger phrases are broad enough that normal conversation or pasted content could accidentally invoke network access and tweet retrieval. In a skill with network and local-write permissions, overly permissive activation increases the chance of unintended external requests and unintended persistence of retrieved content.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The guidance tells users how to copy auth_token and ct0 cookies but does not prominently warn that these are highly sensitive session credentials that can grant account access. Omitting safe-handling guidance increases the chance users will paste them into insecure shells, history files, screenshots, or logs.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The script persistently stores fetched tweet content locally, but this behavior is not disclosed in the top-level usage/help text. While not a direct exploit primitive, undisclosed retention of fetched content is a privacy and transparency issue, especially in an agent skill where users may assume a one-off lookup rather than local indexing.

Ssd 3

High
Confidence
97% confidence
Finding
The script instructs users to extract live browser cookies from Twitter and export them as shell environment variables, effectively turning session cookies into reusable bearer credentials. In the context of a tweet summarizer, this is especially dangerous because the functionality does not justify training users to expose account-session secrets, and compromise of those values could enable full account misuse.

Session Persistence

Medium
Category
Rogue Agent
Content
- bird
permissions:
  - network: Contact X/Twitter API via bird CLI (uses session cookies)
  - filesystem: Write tweets to ~/.openclaw/workspace/data/tweets/
---

# Tweet Summarizer Lite
Confidence
90% confidence
Finding
Write tweets to ~/.openclaw/workspace/data/tweets/ --- # Tweet Summarizer Lite Use this skill when the user asks to fetch, read, save, or summarize a single tweet from Twitter/X. ## When to Use ✅

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal