ClawHub

twitter-cli

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Twitter/X CLI, but it gives an agent broad account-control access and handles browser session cookies in unsafe ways.

Install only if you are comfortable giving this skill access equivalent to your logged-in Twitter/X session. Do not paste a full browser Cookie header into chat or a remote agent. Prefer a local-only setup, avoid write actions unless you explicitly requested them, and review account-changing commands carefully before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises shell, environment, file, and network-capable behavior but does not declare permissions or constraints. That weakens platform-level review and user awareness, especially for a skill that can access credentials and perform authenticated actions against a social account.

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The README contains contradictory statements about cookie handling: one section says all Twitter cookies are forwarded in requests, while the Chinese section claims cookies are only used locally and never uploaded. This can mislead users into exposing sensitive session credentials under false assumptions about privacy, especially in an AI-agent setting where operators may trust the docs instead of inspecting network behavior.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The skill contradicts its own safety guidance by instructing the agent to ask the user for the full Cookie header and paste it into chat. A full Twitter/X cookie string is effectively an active session secret and can enable account takeover or misuse if exposed in logs, transcripts, or downstream tooling.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The package metadata describes a read-oriented terminal client focused on feed, bookmarks, and timeline access, while the skill manifest claims the tool should be used for all Twitter/X actions including posting, replying, liking, retweeting, and following. This capability mismatch is dangerous because an agent may be induced to rely on the skill for higher-risk write operations that are not clearly declared or validated by the packaged project metadata, increasing the chance of unsafe invocation, unexpected behavior, or hidden functionality beyond the stated scope.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This skill is explicitly designed to auto-extract Twitter/X authentication cookies from local browsers, including full cookie sets, to impersonate the logged-in user. In an agent-skill context, harvesting browser-backed session credentials without strict consent and scoping is highly dangerous because it grants account access beyond normal delegated auth flows.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The client deliberately impersonates specific Chrome TLS/browser fingerprints and supports proxying to make automated requests appear like a real browser. In a Twitter/X automation skill, this goes beyond ordinary API consumption and is anti-detection logic that can help evade platform defenses, increasing abuse potential and reducing transparency to users and operators.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code fetches x.com homepage content and JS-derived ondemand assets, then constructs and caches transaction metadata used to emulate browser anti-bot headers. This is effectively reverse-engineering and replaying anti-abuse signals, which materially increases the capability to automate restricted account actions while avoiding normal detection paths.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README documents destructive and account-affecting actions such as delete, follow, like, retweet, and posting without an explicit warning that these change account state and may be irreversible or have social/account consequences. In an agent skill context, that omission increases the risk of accidental harmful actions triggered by ambiguous prompts or automation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README recommends browser cookie extraction and forwarding of all Twitter cookies but does not provide a clear privacy warning about handling active session credentials. In an agent skill, this is especially dangerous because operators may permit automated access to browser secrets without understanding that these cookies can authenticate as their account and enable high-impact actions.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The invocation scope says to use this skill for ALL Twitter/X operations, making triggering overly broad. In context, this is risky because the same skill supports both read and write actions, so an agent may invoke a high-privilege tool in situations where a narrower or read-only path would be safer.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents destructive and account-modifying operations like post, delete, follow, and retweet without requiring confirmation. In an agent setting, that increases the chance of unintended public actions or account changes being executed from ambiguous prompts or misinterpretation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code attempts browser cookie extraction automatically when environment variables are absent, with no interactive warning, consent gate, or confirmation that the user wants local browser secrets accessed. In an autonomous agent setting, silently pulling session cookies is especially risky because users may not realize the tool is taking over an already-authenticated browser identity.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill exposes a destructive operation that deletes tweets immediately with no built-in confirmation, dry-run, or safeguard. In an agent context that is invoked for all Twitter/X operations, this raises the risk of accidental or unauthorized destructive actions through prompt misunderstanding, prompt injection, or user ambiguity.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly tells the agent to ask for a full Twitter cookie string and process it in-shell. This exposes session credentials in plain text to chat logs, agent memory, shell history, and potentially process inspection, creating a straightforward path to session theft and account compromise.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal