Tweet Monitor Pro

The skill contains a critical command injection vulnerability in index.js, where user-provided parameters (url, username, baselineFile) are passed unsanitized to execSync via string concatenation. It also relies on a hardcoded absolute path to a script located in /root/.openclaw/workspace/skills/x-tweet-fetcher/scripts/fetch_tweet.py, which is not included in the bundle and suggests irregular environment dependencies. While the skill claims to have a commercial subscription model, the upgrade logic is purely local and lacks actual payment verification, which is misleading but not definitively malicious.