ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

X Tag Responder

v1.0.0

Detects when a human tags their AI familiar in someone else's X/Twitter thread, fetches full conversation context, infers intent, and crafts an appropriate r...

0· 54·0 current·0 all-time
by@m-lwatcher
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md describes fetching tweet context and drafting/posting replies via xurl, which matches part of the code. However, the bundled scripts implement much broader functionality: a background watcher that polls X mentions, monitors WhatsApp gateway status, manages scheduled tasks, can auto-restart the 'openclaw' gateway, and invokes other local tools (/home/ubuntu/.openclaw, /home/ubuntu/go/bin/blogwatcher, python scripts, etc.). Those gateway/monitoring behaviors are unrelated to the declared 'X Tag Responder' purpose and are not disclosed in the skill description.
!
Instruction Scope
SKILL.md runtime instructions only reference xurl read/search/reply and a local ~/.xurl config. The actual code (scripts/awareness.js and scripts/reply-bot.js) reads/writes multiple workspace files, polls regularly, executes system commands (openclaw status, openclaw gateway restart, node/python/Go binaries), and issues network calls to an external LLM endpoint. SKILL.md does not instruct the agent to run background watchers, poll every 20s/5min, or perform gateway restarts—this is scope creep and a potential surprise to users.
Install Mechanism
The install spec is a brew formula (xdevplatform/tap/xurl) which is a common approach for CLI tools. Installing a brew formula is not inherently dangerous, but the formula is from a third-party tap (xdevplatform) rather than a canonical repository; that increases the need to verify the tap. The skill also includes executable Node scripts that will be placed on disk with the package, so installation will result in persistent code on the system (not just an instruction-only skill).
!
Credentials
SKILL.md lists no required environment variables, but reply-bot.js uses process.env.GEMINI_API_KEY to call the Google generativelanguage API. The SKILL.md does mention ~/.xurl for OAuth credentials, but it explicitly forbids exposing it to the LLM context rather than declaring it as a required credential. The code also uses hard-coded local paths (/home/ubuntu/.openclaw/workspace, /home/linuxbrew/.linuxbrew/bin/xurl) and a hard-coded agent ID. The undeclared GEMINI_API_KEY and the reliance on multiple local credentials/configs are disproportionate and undisclosed.
!
Persistence & Privilege
The scripts implement persistent/background behavior (periodic polling, scheduled tasks) and have the ability to execute system commands including 'openclaw gateway restart' — i.e., they can restart services on the host. Although always:false, the skill bundles autonomous/cron-like logic that modifies system state and writes to workspace memory files. That level of system interaction is beyond a simple tweet-reply helper and should have been documented and justified.
What to consider before installing
Key things to consider before installing: - The code does more than 'draft a reply': it runs background watchers, polls mentions frequently, reads/writes workspace memory files, and can restart the local 'openclaw' gateway. If you do not want a skill that can restart services or run persistent background tasks on your machine, do not install. - The reply generator expects a GEMINI_API_KEY but the skill metadata does not declare that environment variable—expect to provide an API key if you want automatic reply generation. Verify where that key will be stored and who can access it. - The skill assumes specific local paths (/home/ubuntu/.openclaw/workspace and /home/linuxbrew/.linuxbrew/bin/xurl). Confirm these are correct for your environment or the scripts may fail or behave unexpectedly. - The brew formula is from a third-party tap (xdevplatform). Verify the tap and the xurl binary before installing it. - If you want this functionality but with lower risk: ask the author to (a) remove gateway-restart/autonomous watchdog behavior or make it opt-in, (b) declare required env vars (GEMINI_API_KEY and any OAuth tokens), (c) remove hard-coded paths or make them configurable, and (d) document exactly what background processes run and what files they read/write. - If unsure, run these scripts in a sandboxed/test environment (non-production account, isolated VM/container) and review the source code line-by-line, or only use the SKILL.md X-reply parts and reject the background-monitoring scripts.
scripts/awareness.js:111
Shell command execution detected (child_process).
scripts/reply-bot.js:136
Shell command execution detected (child_process).
scripts/reply-bot.js:85
Environment variable access combined with network send.
!
scripts/reply-bot.js:51
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk970n0qek8eye6m3teg9xxav2s83z8r0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐦 Clawdis
Binsxurl

Install

Install xurl (brew)
Bins: xurl
brew install xdevplatform/tap/xurl

Comments