social-reader
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: social-reader Version: 1.0.0 The skill is classified as suspicious due to several risky capabilities, even though they are presented as part of its intended functionality. Specifically, `notifier.py` starts a local HTTP server on `127.0.0.1:18923` and automatically opens a browser window to this local URL, which are significant actions. Additionally, `notifier.py` uses `subprocess.Popen` to execute a PowerShell command for desktop notifications, a shell execution primitive, though the command itself is fixed and benign in this context. Furthermore, `processor.py` feeds untrusted external content (tweet text) into an LLM prompt, introducing a prompt injection vulnerability against the LLM, even if the LLM's output is subject to human review.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed link could make the agent contact an unintended internal or external address instead of only the intended social-media API.
The tweet ID check is not anchored to the URL hostname, and the code rewrites the entire user-supplied URL rather than parsing and allow-listing the host. A crafted URL containing an x.com/twitter.com-looking path can cause requests to be sent to a non-X host.
patterns = [r'(?:x\.com|twitter\.com)/\w+/status/(\d+)'] ... api_url = re.sub(r'(x\.com|twitter\.com)', 'api.fxtwitter.com', url) ... resp = requests.get(api_url, headers=headers, timeout=15)
Parse URLs with a URL parser, require the hostname to be exactly x.com or twitter.com, construct the provider API URL from trusted components, and reject or ask for confirmation on nonstandard hosts.
While the review server is running, another local process or reachable web page may be able to read or alter draft data and consume LLM calls without the user intending it.
The local review API enables broad cross-origin access and the shown handlers do not require an auth token or origin check. These endpoints can read drafts, change review status, trigger LLM regeneration, archive items, and shut down the server.
self.send_header("Access-Control-Allow-Origin", "*") ... elif path == "/api/drafts": self._send_json(load_drafts()) ... if path == "/api/review": self._handle_review() ... elif path == "/api/regenerate": self._handle_regenerate() ... elif path == "/api/archive": self._handle_archive()Bind only to localhost, remove wildcard CORS, require a random per-session token or CSRF protection for every API call, validate Origin/Host headers, and avoid exposing regenerate/archive/shutdown endpoints without explicit user authorization.
Anyone running pipeline mode must trust the configured LLM endpoint with the API key and with the social content being distilled.
Pipeline processing uses an LLM API key and sends it as a bearer token to the configured LLM endpoint. This is expected for the processor, but it is sensitive delegated access.
api_key = os.environ.get("LLM_API_KEY") ... "Authorization": f"Bearer {config['api_key']}" ... "base_url": os.environ.get("LLM_BASE_URL", "https://api.openai.com/v1")Use a minimally scoped LLM key, keep LLM_BASE_URL pointed at a trusted provider, and avoid running the local review API in environments where untrusted pages or processes can reach it.
Future installs may receive a different dependency version than the author tested.
The skill asks for a manual, unpinned PyPI dependency install. This is a normal dependency for HTTP fetching, but it is not version-pinned or locked.
```bash pip install requests ```
Install in a virtual environment and prefer pinned versions or a reviewed lockfile if using the skill regularly.
Fetched social content and generated commentary can remain on disk and influence later pipeline runs or reviews.
The pipeline intentionally persists fetched posts, generated drafts, review state, and archives in local JSON files.
`seen_ids.json` | Deduplication cache ... `pending_tweets.json` | Queue ... `drafts.json` | LLM-distilled drafts ... `archive.json` | Archived history records
Review and clear these JSON files when needed, and avoid storing sensitive private links or drafts in the skill directory.