ClawHub

Twitter API Integration (Web Reversed )

Security checks across malware telemetry and agentic risk

Overview

This is a real Twitter/X automation toolkit, but it gives agents broader account, messaging, and purchase-related powers than the public summary clearly warns about.

Install only after reviewing and preferably disabling the password, phone deletion, subscription, DM, and bulk-follow/posting code paths. Use test or low-risk accounts, keep .env files private, rotate any exposed credentials, and add explicit confirmation or dry-run controls before letting an agent perform public posts, follows, purchases, or account-security changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (43)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises substantial capabilities including environment-variable access, file I/O, and networked Twitter/X automation, but does not declare permissions or capability boundaries in the skill manifest. This reduces transparency for reviewers and users, making it easier for sensitive actions like cookie handling, local data persistence, and outbound requests to occur without explicit acknowledgement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose presents the skill as a relatively narrow toolkit for timeline, notifications, posting, and follow operations, while the underlying code reportedly supports far broader and more sensitive functions such as DMs, profile changes, credential-changing operations, blocking, deletion, and subscription-related actions. This mismatch materially increases risk because operators may trust and deploy the skill without realizing it can perform destructive or high-impact account actions using session cookies.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script iterates over all configured accounts and performs the same follow action against a single target, enabling coordinated multi-account behavior from one command. In the context of a Twitter/X automation skill, this meaningfully increases abuse potential because it can be used to manufacture follower growth or orchestrate platform-manipulating actions across several accounts.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The package initializer exports DirectMessageAPI even though the stated skill scope emphasizes timeline, notifications, posting, and follow operations. Exposing direct-message capabilities broadens the accessible attack surface and may enable private-message access or message sending that operators and downstream tooling do not expect from the manifest. In a cookie-based Twitter/X automation skill, that mismatch is more dangerous because authenticated session cookies can grant access to sensitive account data and actions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The optional memory logging records the full contents of private direct messages, recipient identifiers, and metadata into a secondary storage path that is outside the core DM-sending purpose of this module. In an agent skill context, this increases the privacy and data-retention risk substantially because sensitive user communications may be persisted, later exposed through logs/memory retrieval, or repurposed by other agent components without clear consent or minimization controls.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file exposes sensitive account-management actions that go beyond the declared skill purpose of timeline, notifications, posting, and follow automation. In particular, password change and phone deletion materially increase the skill's power over the account and could be abused to lock out the legitimate user or weaken account recovery, especially in an agent context where actions may be triggered remotely or with limited oversight.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The profile-editing functions expand the skill's capabilities beyond the manifest's enumerated automation scope, creating a scope mismatch between what users expect and what the code can do. While profile updates are less severe than credential or recovery-factor changes, they still allow unauthorized identity changes, impersonation, or reputational harm if the agent is misused or compromised.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The change_password method grants the skill the ability to rotate account credentials, which is far outside the stated automation purpose and represents a direct account-takeover primitive. In a cookie-authenticated agent, this is especially dangerous because an attacker, compromised workflow, or unintended prompt chain could change the password and effectively seize control of the account.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The delete_phone method can remove a recovery and security contact factor from the account without any apparent business need for the declared automation scope. This can reduce the user's ability to recover the account and can be paired with other account changes to entrench unauthorized control.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This module adds paid subscription management, including purchase-related operations, which is outside the declared scope of a Twitter/X automation skill focused on timeline, notifications, posting, and follow operations. In an agent context, unjustified financial capabilities increase the attack surface and could be abused to trigger unauthorized purchases using an authenticated account.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The create_subscription method can submit payment_method_id and subscription_type to an endpoint that creates a paid subscription. For an automation toolkit that operates with stored Twitter session cookies, this enables direct financial actions that a compromised agent, prompt injection, or misuse could perform without adequate user verification.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This timeline-processing module contains unrelated local secret-loading logic that searches for and parses .env files from the working directory. In an agent skill context, mixing data-processing code with implicit credential discovery broadens the module's privilege scope and can cause the skill to consume local secrets without an explicit, auditable handoff from the caller.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code writes fetched followings data to a local JSON file in a `response_logs` directory without any access control, redaction, or user disclosure. Because followings responses can contain sensitive account relationship data and possibly additional metadata returned by the API, this creates avoidable local data exposure and retention risk.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The file embeds a live-looking proxy username/password directly in DEFAULT_CONFIG, which exposes a secret to anyone with source access and encourages downstream use of shared infrastructure without secure secret management. In a cookie-based Twitter/X automation skill, this is especially risky because the proxy may be used to route authenticated social-media actions, enabling abuse, account evasion, or unauthorized consumption of paid proxy resources if the credential is reused.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The tool is advertised as fetching mentions, but its implementation calls home timeline APIs and may surface unrelated tweets. In an agent setting, this semantic mismatch can cause downstream automation to act on the wrong content, such as replying to or prioritizing tweets that were never actual mentions.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation promises mention-only results, while the code itself acknowledges it may return "mentions and other tweets." This contract violation is dangerous for autonomous agents because they will trust the tool description and may take public actions based on non-mention timeline content.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The wrapper exposes DirectMessageAPI and SubscriptionAPI even though the declared skill scope only mentions timeline, notifications, posting, and follow operations. This creates a capability mismatch that can mislead operators, reviewers, or downstream policy controls, enabling access to private messaging or paid/subscription-related actions beyond the expected permission boundary.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill metadata advertises timeline, notifications, posting, and follow operations, but this constants file exposes additional sensitive account-management capabilities including password change, phone removal, profile mutation, blocking, DMs, and subscription creation. In an agent skill, this scope mismatch is dangerous because downstream code can invoke destructive or monetization-related actions that users and reviewers would not reasonably expect from the declared functionality.

Intent-Code Divergence

Low
Confidence
76% confidence
Finding
The constant named VERIFY_CREDENTIALS actually points to account/update_profile.json, which can mutate user profile data rather than simply verify identity. Mislabeling a state-changing endpoint as a harmless verification call can mislead developers, reviewers, or automated tooling and result in unintended account modification under the guise of a read-only action.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly advertises tweet posting and mass follow actions but does not clearly warn that these scripts perform account-modifying operations with live authenticated sessions. In an agent-skill context, that omission increases the chance that an operator or autonomous agent will trigger real actions unintentionally, causing spam, unwanted follows, or account policy violations.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README describes collecting notifications and storing them as JSON without explaining retention, access control, or privacy expectations for potentially sensitive social-graph and message metadata. In a reusable agent toolkit, this can lead to careless handling of exported account data and downstream leakage through logs, artifacts, or shared workspaces.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to supply live auth_token and ct0 session cookies and references posting/follow automation, but does not clearly warn that these are highly sensitive credentials or that the scripts can trigger irreversible account actions. In this context, omission of warnings is dangerous because stolen or mishandled cookies can grant direct control over a Twitter/X account and automation can cause reputational, policy, or account-lockout harm.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script persists raw Twitter timeline and notification data, including user/account metadata and tweet content, into timestamped files on local disk without minimization, redaction, retention controls, or any consent/disclosure mechanism. In the context of a cookie-based Twitter/X automation skill, this is more sensitive than generic logging because notifications and timelines can contain personal data, relationship graphs, and operationally sensitive account activity that could be exposed through local compromise, backup sync, or later reuse.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script persists raw notification data to notifications_raw.json on disk, which may contain sensitive account metadata, message previews, usernames, and interaction history. Storing raw account data locally without access controls, minimization, or an explicit warning increases the chance of unintended disclosure through local compromise, backups, logs, or repository commits.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This script performs an immediate external side effect by posting to Twitter/X as soon as it is invoked, without any confirmation, dry-run mode, or operator acknowledgment. In an agent-skill context, that is risky because a mistaken prompt, wrong account selection, or malicious orchestration could cause unintended public posts using stored session credentials.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal