Ganidhuz-FoxX
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is visibly built for X/Twitter browsing, but it exports real Firefox session cookies and gives open-ended logged-in browser control that should be reviewed before use.
Only install this if you intentionally want OpenClaw to use your logged-in X/Twitter session. Prefer a separate Firefox profile and X account, inspect plans before execution, avoid mutating click/fill/type steps unless you explicitly requested them, and delete or tightly protect exported cookie and storage-state files after use.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
This can expose browser session material and gives the skill reusable access to the user's logged-in X/Twitter session; the temporary database copy may contain more than just X/Twitter cookies.
The script accesses Firefox's local session-cookie store, copies the entire cookie database to a predictable /tmp file, and then filters X/Twitter cookies for export.
DB="$PROFILE_PATH/cookies.sqlite" TMP_DB="/tmp/foxx-cookies-copy.sqlite" ... cp "$DB" "$TMP_DB" ... WHERE host LIKE '%twitter%' OR host LIKE '%x.com%'
Use a dedicated Firefox profile and preferably a dedicated X account, protect and delete secrets/x-cookies.json and /tmp/foxx-cookies-copy.sqlite after use, and do not run this on a profile containing sensitive unrelated sessions.
A plan could do more than fetch tweets: it could potentially post, like, follow, message, or change account settings as the logged-in user if such steps are provided.
After injecting session cookies, a plan can navigate to arbitrary URLs and perform interactive browser actions without a built-in read-only mode, domain restriction, or approval check for mutating actions.
initial_url = plan.get("url", "about:blank")
...
context.add_cookies(cookie_data.get("cookies", []))
...
if action == "click" ... if action == "fill" ... if action == "type" ... if action == "press"Review every plan before running it, restrict use to x.com/twitter.com, and require explicit human approval for any click, fill, type, or press step that could change account state or publish content.
Running the export step can unexpectedly close active Firefox windows, interrupt work, or lose unsaved form/tab state.
The cookie export script terminates Firefox processes automatically; the documentation says to close Firefox first, but the script does not prompt before killing it.
pkill -f firefox 2>/dev/null && sleep 2 || true
Close Firefox manually before running the script, or modify the script to prompt before killing processes.
The user will fetch and run third-party code/browser binaries during setup.
The setup uses manual, unpinned installation of a Python package and browser components; this is purpose-aligned but depends on current upstream package sources.
Playwright: `pip install playwright && playwright install firefox`
Install in a virtual environment, pin or verify package versions where possible, and avoid running setup in a sensitive production environment.
A user may treat this as a low-risk API substitute even though it grants logged-in session authority.
The description frames real-session cookie automation as a way around bot blocks, which may understate the account/session risk of handing browser cookies to automation.
Browse X/Twitter using a real logged-in Firefox session via cookie injection... no API key, no bot blocks.
Treat the skill as full logged-in account automation and confirm that its use fits your security expectations and platform/account rules.