Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
twitter browser post
v1.0.0Monitora posts novos de Tom Doerr no X.com, verifica links GitHub reais, traduz, solicita aprovação e publica no Twitter automaticamente.
⭐ 0· 56·0 current·0 all-time
by@gbrokng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (monitor Tom Doerr posts, verify GitHub links, translate, request approval, post on X) aligns with the runtime steps in SKILL.md. However, the SKILL.md assumes an authenticated browser profile ('openclaw' profile), access to Telegram channels, and the ability to post on X.com without declaring any required credentials or config paths in the manifest — a platform-level dependency that is not documented in the skill metadata.
Instruction Scope
Instructions are detailed and narrowly scoped to: open a browser profile, read the most recent X post, confirm real GitHub links (t.co redirect or GitHub search), translate/rewrite, send for Telegram approval, and post via X compose dialog using explicit DOM refs. They reference agent memory files (memory/rotinas.md, memory/instrucoes-tom-doerr.md) and include a cron command. They do not instruct collecting unrelated system files or environment variables, nor do they exfiltrate data to unexpected endpoints.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be downloaded or written during install by the skill itself. That lowers install-time risk.
Credentials
The skill requires capabilities that imply credentials/active sessions (posting to X, sending to Telegram, using a specific browser profile) but declares no required environment variables or config paths. The manifest omits any mention of the need for an authenticated browser profile or Telegram/X tokens; relying on an already-logged-in browser profile or platform-provided Telegram channel is plausible but is a security-relevant assumption that should be explicit.
Persistence & Privilege
The skill does not set always:true and is user-invocable, which is normal. It includes a recommended cron command to schedule hourly checks via platform tooling (openclaw cron add) — creating such scheduled jobs grants the skill recurring execution ability if the user runs that command. Autonomous invocation plus scheduling increases the impact of any mistakes or misconfigurations, so users should be aware the skill can act regularly once scheduled.
What to consider before installing
This skill appears to do what it says, but it assumes an already-authenticated environment (a browser profile capable of posting on X and a Telegram channel/user) without declaring those requirements. Before installing or enabling automated runs: (1) Confirm where the X and Telegram authentication comes from — are you relying on a logged-in 'openclaw' browser profile or platform-managed channels? (2) Inspect memory/rotinas.md and memory/instrucoes-tom-doerr.md to ensure they contain no sensitive tokens or unwanted history the skill will read or overwrite. (3) Don't schedule the cron job until you test a manual run and verify the Telegram approval step works as intended (so it won't post without human consent). (4) Ask the publisher/source for a homepage or source code to verify behavior. (5) If you prefer safety, run it manually (user-invoked) and avoid installing the cron job or granting any persistent credentials until you trust the workflow.Like a lobster shell, security has layers — review code before you run it.
latestvk970z0y6nbzf3a0jka83zhx8t583khck
License
MIT-0
Free to use, modify, and redistribute. No attribution required.