ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Twitter Monitor By Longge

v1.0.0

Monitor X/Twitter accounts for new tweets and send notifications to Telegram.

0· 416·2 current·2 all-time
by@mmmuffin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The code monitors a Twitter/X user and forwards new tweets to Telegram, which matches the name/description. However, the skill uses an external CLI ('xreach') and requires Twitter cookie values (AUTH_TOKEN, CT0) and Telegram credentials — none of these were declared in the registry metadata's 'required env vars' or 'required binaries'. The presence of these undeclared requirements is inconsistent with the published metadata.
!
Instruction Scope
SKILL.md lists required env vars (TWITTER_USER, AUTH_TOKEN, CT0, TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID) but the top-level registry showed 'none'. The runtime instructions are simple (run python3 twitter_monitor.py) and do not instruct installing the 'xreach' CLI or Python dependency 'aiohttp', nor do they warn about the sensitive nature of the Twitter cookie values. The script only communicates with api.telegram.org and does not appear to exfiltrate other local data, but the instructions are incomplete and grant broad discretion (agent will need those secrets).
!
Install Mechanism
There is no install spec. The code calls an external CLI ('xreach') and imports 'aiohttp' at runtime; neither is provided or documented in an install step. This may cause failures or hide the need to install an arbitrary third-party binary whose provenance is unknown.
!
Credentials
The environment variables the code reads (Twitter cookie tokens and Telegram bot token/chat id) are plausible for the stated task, but the registry metadata did not declare them. Requesting AUTH_TOKEN and CT0 (Twitter cookies) is sensitive but explainable; however, the mismatch between declared and actually-used env vars is a red flag and should be corrected/justified.
Persistence & Privilege
The skill does not request 'always: true' and does not modify system or other-skill configuration. Autonomous invocation is allowed (platform default), which is expected for a monitoring skill; no elevated persistence or cross-skill access is requested.
What to consider before installing
This skill appears to do what it says (monitor a Twitter account and send Telegram messages) but there are important mismatches and missing pieces: the registry metadata does not list the environment variables or the 'xreach' binary that the code actually needs, and there is no install step for the Python dependency 'aiohttp' or for xreach. Before installing, verify where the 'xreach' CLI comes from (trustworthy source or GitHub release), consider whether you want to provide Twitter cookie values (AUTH_TOKEN and CT0) — these are sensitive and can grant access to your account — and prefer using official API keys if possible. Also ensure you create a Telegram bot token specifically for this purpose and limit which account tokens you provide. If you proceed, run it in a controlled environment, inspect or obtain the xreach binary source, and confirm the skill's metadata is updated to declare its true requirements.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d46kqs8jbm2hgecescn6kjh82v2we

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments