ClawHub

Twitter Monitor By Longge

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill’s behavior matches its stated purpose, but users should notice that it requires Twitter session cookies, a Telegram bot token, an undeclared external CLI, and runs continuously.

This appears purpose-aligned for monitoring a Twitter/X account and sending Telegram alerts. Before installing, make sure you trust the `xreach` CLI it calls, understand that Twitter cookies and a Telegram bot token are sensitive, and run the script only when you want continuous monitoring.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Medium
What this means

If these credentials are mishandled outside the reviewed code, they could allow access to the user’s Twitter session or Telegram bot messaging capability.

Why it was flagged

The skill asks the user to provide Twitter session cookies and Telegram bot credentials. This is aligned with monitoring Twitter and sending Telegram alerts, but these are sensitive account-authority values.

Skill content
- AUTH_TOKEN: Twitter cookie
- CT0: Twitter cookie  
- TELEGRAM_BOT_TOKEN: Telegram机器人token
- TELEGRAM_CHAT_ID: 你的Telegram ID
Recommendation

Use credentials with the least privilege possible, store them securely as environment variables, and rotate/revoke them if you stop using the skill or suspect exposure.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

The user must independently trust and install the external `xreach` binary because it receives Twitter authentication values.

Why it was flagged

The script depends on an external `xreach` command and passes Twitter cookie values to it. This dependency is not included in the file manifest or install specification.

Skill content
subprocess.run(["xreach","tweets",f"@{U}","-n","10","--auth-token",A,"--ct0",C,"--json"]
Recommendation

Verify the source and integrity of `xreach` before use, and prefer a documented, pinned install process for dependencies.

#
ASI10: Rogue Agents
Low
What this means

Once started, the monitor will continue using network access and sending Telegram notifications until the process is stopped.

Why it was flagged

The script is designed to keep polling every 60 seconds. This is expected for a monitor, but it is still a long-running process.

Skill content
while True:
        t = get()
        ...
        await asyncio.sleep(60)
Recommendation

Run it only when continuous monitoring is desired, and stop the process when alerts are no longer needed.