X (Twitter) Data Scraper

Security checks across malware telemetry and agentic risk

Overview

This X/Twitter scraper mostly matches its stated purpose, but it includes under-disclosed authenticated browser scraping using persistent cookies and rate-limit bypass language.

Review before installing. Use a dedicated low-privilege X developer token or test account, avoid storing main-account cookies or passwords for this skill, and prefer the API scripts over fetch_x_playwright.py. Be aware that usernames, search queries, retrieved content, bearer tokens, and possibly authenticated session cookies may be used in requests to X/Twitter.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill advertises and operationalizes environment-variable access, local file reads, and outbound network use, but it does not declare permissions or clearly constrain those capabilities. This creates a transparency and governance gap: an agent may invoke the skill without users or policy layers understanding that it can access stored credentials and make external requests.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script is hard-wired to load authentication cookies from a fixed path and inject them into a browser session for Twitter/X scraping. In the context of an agent skill, this creates an undocumented dependency on privileged session material and can cause the tool to operate under a real account without explicit per-use consent, increasing privacy, account-abuse, and credential-misuse risk.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The capability documentation exposes a concrete credential file path and the exact sensitive environment variable names used for X authentication, which increases the chance of secret discovery, mishandling, or targeted exfiltration by downstream agents or users. In an agent-skill context, operational docs are often consumed programmatically, so publishing secret locations is more dangerous than ordinary developer documentation because it guides automated access to authentication material.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The README instructs users to supply an X API bearer token and use the skill to fetch data from X, but it does not clearly disclose that prompts, search terms, usernames, and retrieved content will be sent to an external third-party service. In a data-extraction skill, this omission matters because users may provide sensitive investigation targets or proprietary research queries without realizing they leave the local environment.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs users to configure API credentials and references browser-based scraping, yet it provides no explicit warning about network access, privacy implications, rate limits, or compliance with X/Twitter terms. In practice, this omission can lead to unauthorized collection, unexpected transmission of user data, or use of fragile scraping methods without informed consent.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill instructs users to place an X API bearer token in a local env file but provides no guidance on secret handling, file permissions, redaction, or avoiding commits/logging. While this is common setup documentation, it still creates a real risk of credential exposure through source control, shared home directories, backups, or accidental disclosure in terminal history and troubleshooting output.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The code reads authentication cookies from disk and loads them into the Playwright browser context, thereby transmitting authenticated session state to Twitter/X without any meaningful user disclosure or consent flow. In an agent setting, this is dangerous because users may not realize the skill is acting as a logged-in account, which can expose account data, trigger account actions, or leak organizational session context to an external site.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The search flow automatically sends user-supplied queries to Twitter/X via browser automation, potentially along with authenticated cookies already loaded into the session, without a clear warning that external network requests will occur. Within this skill context, the behavior is more concerning because the tool is explicitly designed for scraping and can silently combine user prompts with a live authenticated browsing session.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The profile-fetch path sends a username-derived request to Twitter/X using browser automation and may do so in an authenticated context loaded from disk, again without explicit user awareness. This creates a transparent proxy from agent input to an external service under potentially privileged session state, which can surprise users and increase privacy and account-risk exposure.

Session Persistence

Medium

Category: Rogue Agent
Content: ## Setup **Credentials:** Create `~/.openclaw/credentials/x_api_tokens.env`: ``` X_BEARER_TOKEN=Bearer YOUR_TOKEN_HERE ```
Confidence: 88% confidence
Finding: Create `~/.openclaw

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal