critical
suspicious.env_credential_access
- Location
- scripts/x-monitor.js:24
- Finding
- Environment variable access combined with network send.
A real-time intelligence feed tracking the top 50 AI organizations and influencers globally.
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
The skill can act using an existing logged-in X/Twitter browser session instead of a narrowly scoped API token.
Why it was flagged
The free scraper automatically imports cookies from the user's Chrome browser session, which is high-impact account/session access even if it is related to X monitoring.
Skill content
await scraper.useCookiesFromBrowser('chrome');Recommendation
Require explicit user opt-in before using browser cookies, document exactly which session data is read, and recommend a dedicated browser profile or test X account.
ConcernHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
A user could unknowingly provide or expose a Feishu workspace token for a workflow that was advertised mainly as X/Twitter monitoring.
Why it was flagged
The optional monitor mode uses an undeclared Feishu access token to call a hardcoded Feishu Bitable resource, which is not described in the metadata or main setup flow.
Skill content
'Authorization': `Bearer ${process.env.FEISHU_ACCESS_TOKEN}`Recommendation
Declare FEISHU_ACCESS_TOKEN as a required/optional credential, explain why Feishu is needed, scope it minimally, and avoid hardcoded third-party app/table IDs unless clearly user-controlled.
ConcernHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Hardcoded provider credentials can mislead users, leak the publisher's key, or cause users to run under an unexpected identity.
Why it was flagged
The source includes a hardcoded X API key value and comments that it was automatically obtained, despite SKILL.md saying users should fill in their own API key and secret.
Skill content
const X_API_KEY = 'THp2c1V4bW5JQVJ1S09IY1BzN1NubDoxaXJpUQ'; // 已自动获取
Recommendation
Remove all hardcoded API credentials and load user-provided keys only from declared environment variables or a clearly documented secret store.
ConcernMedium Confidence
ASI10: Rogue AgentsWhat this means
The skill may be expected to run in the background using existing sessions without the user reviewing each run.
Why it was flagged
The skill claims default unattended scheduled execution, but the provided install artifacts do not show a clear cron creation, permission prompt, or uninstall/disable boundary.
Skill content
默认每日8:30自动生成并推送
Recommendation
Make scheduling explicitly opt-in, document the exact cron job, provide disable/uninstall steps, and avoid using browser sessions in unattended jobs without renewed consent.
ConcernHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
A future dependency update could change behavior around browser session access or network scraping without being reviewed in these artifacts.
Why it was flagged
The package uses a caret-pinned third-party scraper dependency that is central to the workflow and is also the component used to access browser cookies.
Skill content
"@the-convocation/twitter-scraper": "^0.22.1"
Recommendation
Pin exact dependency versions, include a lockfile, and review the scraper library carefully before allowing it to read browser cookies.
ConcernHigh Confidence
ASI09: Human-Agent Trust ExploitationWhat this means
Users may trust reports or configure credentials for an API mode that is not actually implemented as described.
Why it was flagged
The advertised official API mode does not actually call the X API in the provided code; it generates mock tweet data while SKILL.md presents API mode as a working higher-reliability option.
Skill content
// 模拟 X API 调用,实际使用时替换为真实 API 请求
Recommendation
Clearly label API mode as unfinished/mock if that is the case, or implement the real X API workflow with transparent credential handling.
NoteHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
A malicious or prompt-injection-style tweet could be preserved in the report and influence later agent analysis if treated as instructions.
Why it was flagged
Untrusted public tweet text is copied directly into a persistent Markdown report file, which could later be read by an agent as context.
Skill content
report += `**核心内容**:${topTweet.text}\n\n`;Recommendation
Treat tweet contents as untrusted data, label them as quoted source text, and avoid letting later agents execute or follow instructions found inside reports.
Findings (2)
critical
suspicious.exposed_secret_literal
- Location
- scripts/x-monitor.js:11
- Finding
- File appears to expose a hardcoded API secret or token.