ai-twitter-digest

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Twitter/X digest skill, but users should be careful because setup can reuse OpenClaw credentials and store API keys locally.

Install only if you are comfortable giving this skill AISA and LLM API keys and allowing it to post to the selected chat target. To avoid OpenClaw auth auto-detection, create scripts/.env manually instead of running setup.py. Keep scripts/.env out of source control and backups, restrict its permissions where possible, test with a low-risk channel first, and add the cron job only if unattended posting is intended.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Tainted flow: 'STATE_FILE' from os.environ.get (line 64, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: def save_sent_tweets(ids): ids_list = sorted(ids)[-MAX_STORED_IDS:] with open(STATE_FILE, "w") as f: json.dump({"tweet_ids": ids_list, "updated": datetime.now(timezone.utc).isoformat()}, f)
Confidence: 81% confidence
Finding: with open(STATE_FILE, "w") as f:

Tainted flow: 'key' from os.environ.get (line 252, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: if not key: return None try: r = requests.post( f"https://generativelanguage.googleapis.com/v1beta/models/gemini-2.0-flash:generateContent?key={key}", headers={"Content-Type": "application/json"}, json={"contents": [{"parts": [{"text": prompt}]}]},
Confidence: 91% confidence
Finding: r = requests.post( f"https://generativelanguage.googleapis.com/v1beta/models/gemini-2.0-flash:generateContent?key={key}", headers={"Content-Type": "application/json"},

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill declares no permissions even though the documentation clearly indicates capabilities for environment access, file read/write, network access, and shell execution. This is dangerous because users and policy engines cannot accurately assess or constrain what the skill can do, especially since setup reads credentials and writes them to disk.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The skill is presented as a Twitter-to-Discord digest, but the documented behavior includes credential discovery from OpenClaw config/environment, connectivity tests to multiple external providers, and delivery to several messaging platforms. This mismatch undermines informed consent and can cause users to expose secrets or send data to destinations they did not expect.

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The manifest frames the skill as delivering to Discord, but the configuration supports multiple other channels. While not inherently malicious, this discrepancy can mislead users about where data may be sent and weakens trust and auditability.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation says setup writes a .env file containing API credentials but does not prominently warn users about secret persistence on disk. Persisted credentials increase the risk of accidental disclosure through backups, source control inclusion, permissive file permissions, or later compromise of the host.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill sends tweet content and related metadata to third-party LLM providers for summarization, but this data transfer is not clearly disclosed in the main description. Lack of notice can create privacy, compliance, and data-governance issues, especially in environments with restrictions on external AI services.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill sends collected tweet content to third-party LLM providers for summarization without an explicit user-facing notice or consent flow. In this context, the data is public tweets, so the privacy impact is limited, but users may still reasonably expect local processing or provider-specific controls; the multi-provider fallback also means data may go to different vendors depending on available keys.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The setup wizard silently reads credentials from another tool's auth.json and imports them into its own configuration flow without prior explicit consent. In a security-sensitive agent ecosystem, cross-context credential harvesting increases the chance of unauthorized reuse, surprise disclosure, and violation of least-privilege expectations.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script writes multiple API keys into a plaintext .env file without warning about local secret persistence, file permissions, or downstream exposure. This is dangerous because setup helpers are often run casually, and users may not realize credentials are being copied into an additional storage location that could be committed, backed up, or read by other local processes.

Session Persistence

Medium

Category: Rogue Agent
Content: - Auto-detect API keys from your environment and OpenClaw config - Prompt for any missing keys (AISA, LLM, Discord channel) - Test connectivity to AISA and your chosen LLM provider - Write a `.env` file — no manual editing needed > If you prefer manual setup, create `scripts/.env` with the following content: >
Confidence: 87% confidence
Finding: Write a `.env` file — no manual editing needed > If you prefer manual setup, create `scripts/.env` with the following content: > > ```env > AISA_API_KEY=your_aisa_key_here > DELIVERY_CHANNEL=discord

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal