ClawHub

Twitter API

Security checks across malware telemetry and agentic risk

Overview

This is a narrow JustOneAPI Twitter lookup skill with a real credential-handling caveat but no hidden or destructive behavior.

Install only if you trust JustOneAPI with your API token and the Twitter identifiers you query. Use a dedicated or limited-scope token where possible, avoid sharing logs or traces that may contain full request URLs, and rotate the token if you suspect it was exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill defines the authentication token as a query parameter and automatically injects it into the request URL. Query-string secrets are commonly exposed in logs, browser/history equivalents, proxy telemetry, monitoring systems, and error messages, making accidental credential disclosure significantly more likely than if the token were sent in an Authorization header.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill requires an authentication token as a query parameter, which is risky because query strings are commonly logged by clients, proxies, gateways, and server infrastructure. Exposing credentials this way increases the chance of accidental token leakage and unauthorized API use.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly instructs use of an authentication token to access Twitter profile and post data, but provides no warning about secure credential handling, scope minimization, or privacy implications of collecting user data. In an agent skill context, this omission can lead users or downstream agents to expose tokens in logs, URLs, or shared traces and to process personal data without adequate notice or controls.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal