ClawHub

Keyapi Twitter Content Analytics

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed KeyAPI Twitter/X analytics helper, but it stores API tokens and cached results locally unless users take care.

Install only if you are comfortable using KeyAPI for Twitter/X research. Prefer setting KEYAPI_TOKEN in your shell instead of entering it at the prompt, keep any .env file private, avoid committing the skill directory, use --no-cache for sensitive lookups, and periodically delete .keyapi-cache if cached social data should not remain on disk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to persist API responses under a local cache without warning that the data may contain personal, profile, follower, reply, and engagement information. Local plaintext caching can expose sensitive or regulated data to other local users, backups, logs, or accidental source-control commits, especially in shared or developer environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script prompts for a KEYAPI token and immediately persists it to a plaintext .env file in the skill directory without an explicit consent step at the moment of collection. This can surprise users and leaves a reusable credential on disk where it may be exposed through backups, local compromise, accidental commits, or permissive file permissions.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
Tool responses are cached to disk automatically, which can store potentially sensitive remote data locally without the user's awareness. In a content analytics skill, returned data may include account details, search results, or other collected content that increases local data retention and exposure risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal