twitter

Security checks across malware telemetry and agentic risk

Overview

This is a real Twitter/X automation skill, but it asks users to send account passwords and proxy details to a third-party API and can perform public account actions without built-in confirmation.

Install only if you trust SkillBoss/AISA with Twitter/X account access and public posting authority. Prefer a test or low-risk account, avoid sharing a primary password where possible, rotate SKILLBOSS_API_KEY if exposed, and require explicit human approval before login, post, like, retweet, or profile-update actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (17)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill declares no explicit permissions while clearly requiring environment access and extensive network access to a third-party API. This undermines informed consent and platform policy enforcement because a caller may not realize the skill can transmit queries, account identifiers, and authentication material off-platform.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The manifest frames the skill as search/listening/posting, but the documented behavior also includes account login, account detail retrieval, likes, retweets, follower/following enumeration, and profile updates. This mismatch increases the chance that an agent or user invokes broader account-control functions than expected, enabling unintended actions on a user's social account.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The manifest description omits that the skill can automate authenticated account actions beyond simple search and posting, including liking, retweeting, login flows, and profile changes. In agent ecosystems, incomplete disclosure is dangerous because policy engines and users may authorize the skill under a narrower trust model than its real behavior warrants.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: Profile update functionality is materially more sensitive than the stated search/listening/tweeting purpose because it changes account identity and public presentation. If triggered unexpectedly, it can deface an account, damage reputation, or assist account takeover workflows by altering name and bio details.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill metadata describes search/post functionality but the code also implements account login with username, email, password, proxy, and optional TOTP. This mismatch is dangerous because users or calling agents may supply highly sensitive credentials without realizing the skill forwards them to a third-party API, undermining informed consent and security review.

Description-Behavior Mismatch

Low

Confidence: 83% confidence
Finding: The description emphasizes search and publishing, but the implementation also performs likes and retweets, which are separate engagement actions that modify account state. Undisclosed action scope increases the risk of unintended account activity by an agent or user who believes the skill is limited to read/search or direct posting only.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code accepts raw Twitter credentials, proxy details, and TOTP codes for remote login, which materially expands the skill from content operations into account-access brokering. In an agent context, this is especially dangerous because it enables centralized collection and relay of account secrets to an external service, creating account takeover and credential exposure risks.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README advertises write-capable Twitter actions such as posting, liking, and retweeting without any warning that these operations can directly affect a user's account, public presence, and reputation. In an agent skill context, omission of these cautions increases the risk of accidental or unauthorized account-impacting actions, especially if users assume the skill is primarily read-only from the surrounding examples.

Vague Triggers

Medium

Confidence: 72% confidence
Finding: The invocation examples are broad and overlap with ordinary social-media assistance requests, but they do not define clear boundaries for when autonomous actions like liking, retweeting, or monitoring should occur. This can cause an agent to activate the skill for ambiguous prompts and perform networked or account-affecting actions without sufficiently specific user authorization.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The documentation instructs users to submit Twitter username, email, password, and proxy details to a remote third-party API, but provides only a rate-limit warning rather than a meaningful credential-security or privacy warning. This creates substantial risk of credential exposure, account compromise, and unauthorized reuse of highly sensitive authentication material by the external service.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The login command sends username, email, password, proxy, and optional TOTP to a remote API endpoint without any explicit warning, confirmation, or trust disclosure. Because these are highly sensitive secrets, silent transmission to a third-party service can lead to credential compromise, regulatory issues, and unauthorized account access if the service or logs are breached.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Posting, liking, and retweeting are state-changing actions executed immediately once invoked, with no confirmation prompt, dry-run mode, or policy gate. In an autonomous-agent setting, that makes accidental spam, reputational damage, or abusive engagement much more likely, especially when paired with real-time search and automation.

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash # Step 1: Login first (async, check status after) curl -X POST "https://api.aisa.one/apis/v1/twitter/user_login_v3" \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{"user_name":"myaccount","email":"me@example.com","password":"xxx","proxy":"http://user:pass@ip:port"}'
Confidence: 98% confidence
Finding: https://api.aisa.one/

External Transmission

Medium

Category: Data Exfiltration
Content: -H "Authorization: Bearer $SKILLBOSS_API_KEY" # Send tweet curl -X POST "https://api.aisa.one/apis/v1/twitter/send_tweet_v3" \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{"user_name":"myaccount","text":"Hello from OpenClaw!"}'
Confidence: 76% confidence
Finding: https://api.aisa.one/

External Transmission

Medium

Category: Data Exfiltration
Content: -d '{"user_name":"myaccount","text":"Hello from OpenClaw!"}' # Like a tweet curl -X POST "https://api.aisa.one/apis/v1/twitter/like_tweet_v3" \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{"user_name":"myaccount","tweet_id":"1234567890"}'
Confidence: 75% confidence
Finding: https://api.aisa.one/

External Transmission

Medium

Category: Data Exfiltration
Content: -d '{"user_name":"myaccount","tweet_id":"1234567890"}' # Retweet curl -X POST "https://api.aisa.one/apis/v1/twitter/retweet_v3" \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{"user_name":"myaccount","tweet_id":"1234567890"}'
Confidence: 75% confidence
Finding: https://api.aisa.one/

External Transmission

Medium

Category: Data Exfiltration
Content: -d '{"user_name":"myaccount","tweet_id":"1234567890"}' # Update profile curl -X POST "https://api.aisa.one/apis/v1/twitter/update_profile_v3" \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{"user_name":"myaccount","name":"New Name","bio":"New bio"}'
Confidence: 86% confidence
Finding: https://api.aisa.one/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal