X Voice Match
Security checks across malware telemetry and agentic risk
Overview
The skill is transparent about analyzing X posts, but it is designed to create posts that could be mistaken as written by any analyzed account.
Install or use this only if you intend to analyze accounts you own or are authorized to manage. Review all generated posts before posting, do not use it to impersonate others, verify the Bird CLI dependency, and treat saved voice-profile files as sensitive reusable style data.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could generate convincing text that impersonates another X account, which may mislead readers if posted without disclosure or authorization.
The generated LLM prompt explicitly optimizes for making readers believe the named account authored the post, and the skill accepts an arbitrary account handle without an ownership or consent check.
Generate posts that would make someone think "{profile['account']} definitely wrote this."Use this only for accounts you own or are authorized to manage, label outputs as drafts, and avoid posting generated text as if it came from someone else.
A malicious or compromised account being analyzed could include instructions in its tweets that influence the agent beyond simple style matching.
Raw tweets from the analyzed account are inserted directly into the model prompt near instructions. Tweets are untrusted external content and could contain prompt-injection text that steers the agent or output.
samples = '\n'.join(f" - {tweet}" for tweet in profile.get('sample_tweets', [])[:5]) ... SAMPLE TWEETS (for reference):\n{samples}\n\nCRITICAL STYLE RULES:Treat tweets as untrusted data: delimit or escape samples, instruct the model to ignore instructions inside samples, and require user review before any follow-on action.
Saved profiles may retain tweet samples and a reusable voice fingerprint for the analyzed account.
The voice profile persists sample tweets and derived style data to a JSON file, which is purpose-aligned but can be reused later as model context.
"sample_tweets": [t['text'] for t in tweets[:5] if 'text' in t] ... json.dump(profile, f, indent=2)
Store profile files carefully, avoid sharing them unnecessarily, and delete profiles when they are no longer needed.
The skill's tweet-fetching behavior depends on whatever Bird CLI installation exists locally.
The skill depends on an external local CLI that is not included in the reviewed package or install spec. This is disclosed and purpose-aligned, but its provenance is outside these artifacts.
Works with Bird CLI (`/data/workspace/bird.sh`)
Verify that /data/workspace/bird.sh is trusted and behaves as expected before using the skill.