ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Twitter Thread Generator

v1.0.0

Generate optimized, engaging Twitter threads from any topic with viral hooks, structured formatting, and auto-posting readiness.

0· 176·0 current·0 all-time
by@g0atfac3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill describes generating and even 'auto-posting' Twitter threads. The runtime instructions and _meta.json show it expects an OPENAI_API_KEY (for content generation), which is coherent, but there are no Twitter/posting credentials or explanation of how auto-posting would work. The SKILL.md also references running python thread_gen.py, but no code files are included in the package — a direct mismatch between claimed functionality and delivered artifacts.
!
Instruction Scope
SKILL.md only tells the user to pip install the openai client and set OPENAI_API_KEY, and shows a usage line for a script that does not exist in the package. The instructions are vague about where 'auto-posting' or 'analytics' happen and do not define what data is sent where. Asking the user to install a package and set a key is reasonable for generation, but the missing script and lack of posting details expand agent/human responsibilities in unclear ways.
Install Mechanism
There is no formal install spec; the SKILL.md suggests pip install openai which is a normal, low-risk dependency for an instruction-only skill. No downloads from arbitrary URLs or archive extraction are present.
Credentials
SKILL.md and _meta.json indicate the skill uses OPENAI_API_KEY, which is proportionate for an AI text generator. However, the registry metadata provided to you earlier lists 'Required env vars: none' — that inconsistency should be resolved. Also, auto-posting would normally require Twitter API credentials (none requested), creating a capability/credential mismatch.
Persistence & Privilege
The skill does not request persistent presence (always:false) and includes no install script or code that would modify agent/system settings. No elevated privileges are requested.
What to consider before installing
This skill is plausible as an OpenAI-powered thread generator, but several things don't add up. Before installing or providing any API keys: (1) Ask the author for the missing script (thread_gen.py) or a link to a source repository so you can inspect the code. (2) Confirm whether the skill actually posts to Twitter and, if so, exactly how—what endpoints, which credentials are needed, and where tokens are stored. Do not supply Twitter credentials until you understand the posting flow. (3) Resolve the metadata mismatch: registry says no env vars but SKILL.md/_meta.json require OPENAI_API_KEY. If you decide to proceed, prefer creating a scoped OpenAI key with minimal usage limits, review the code offline, and avoid giving broad credentials or storing long-lived secrets until you can audit the implementation. If the author cannot provide source or clear technical details, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk977mp5q1t6n7fmpnajqjx30hd82tnsw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments