ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

X Tweet Monitor

v1.0.0

Monitor X/Twitter accounts for new tweets and send notifications to Telegram.

0· 230·0 current·0 all-time
by@mmmuffin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description match the code's behavior (poll Twitter and send Telegram messages). However the code invokes an external CLI tool 'xreach' via subprocess but the skill metadata and SKILL.md do NOT declare that 'xreach' is required or tell the user where to obtain it. That mismatch (code requiring an opaque binary while the skill declares no required binaries) is an incoherence.
!
Instruction Scope
SKILL.md tells the user to set Twitter cookie env vars and Telegram credentials and run the script, which matches the code's use of TWITTER_USER, AUTH_TOKEN, CT0, TELEGRAM_BOT_TOKEN, and TELEGRAM_CHAT_ID. But the instructions omit any guidance about installing or vetting the 'xreach' CLI or Python dependencies (aiohttp). The runtime instructions therefore under-specify steps required to run and to evaluate the trustworthiness of the external tool the script calls.
!
Install Mechanism
There is no install spec. That would be fine for a pure-Python script that uses only standard-library modules, but this script requires 'aiohttp' (not standard library) and calls an external binary 'xreach'. The absence of installation guidance for these dependencies is a red flag because the skill implicitly depends on fetching/executing third-party code (the 'xreach' binary) from an unspecified source.
Credentials
The required environment variables (Twitter cookie tokens AUTH_TOKEN and CT0, plus TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID) are logically related to the stated purpose. They are sensitive credentials/cookies; the skill needs them to access Twitter via the xreach tool and to post to Telegram. No unrelated credentials are requested. Because AUTH_TOKEN/CT0 are cookies, advise extra caution: using cookies instead of official API keys can be riskier and can expose a logged-in session.
Persistence & Privilege
The skill does not request always:true or other elevated persistent privileges. It runs as an invoked script and does not modify other skills or system-wide configuration.
What to consider before installing
This skill appears to do what it says, but it hides important operational details. Before installing or running it: (1) Verify where the 'xreach' CLI comes from and inspect its source or distribution — the script calls it directly and will execute whatever that binary does. (2) Install and vet Python dependency 'aiohttp' from a trusted source, or run the script in an isolated environment. (3) Be aware you're asked to provide sensitive Twitter cookies (AUTH_TOKEN, CT0) and your Telegram bot token — prefer using least-privileged credentials and revoke them if you later suspect misuse. (4) Ask the publisher for explicit install steps and for the origin/verify checksum of the xreach binary; absence of that information is the main reason this is marked suspicious. If you cannot verify xreach's origin, do not run this on a machine with sensitive accounts or data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b692kb3tnhfxj35tdvanr3x82v46a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments