ClawHub

X Smart Read

Security checks across malware telemetry and agentic risk

Overview

This is a coherent X/Twitter analytics skill, but it needs API credentials, stores social-media data locally, and includes explicit bookmark-changing commands.

Install only if you are comfortable giving the skill X API credentials and letting it cache X content, mentions, bookmarks, usage, and follower history locally. Use least-privilege credentials where possible, protect ~/.openclaw/.env and ~/.openclaw/skills-config/x-twitter/, require explicit approval for bookmark add/remove and --force/--no-budget, and consider installing uv through a verified package-manager path instead of piping a remote script to sh.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The README frames the skill as providing read-only access and personal analytics, but it also documents `x_bookmarks.py add ID`, which performs a write action on the user's X account. This mismatch can mislead users and downstream agents into granting broader trust or permissions than intended, increasing the risk of unintended account modification.

Description-Behavior Mismatch

Low
Confidence
90% confidence
Finding
The README frames the skill as providing read-only access and personal analytics, but it also documents `x_bookmarks.py add ID`, which performs a write action on the user's X account. This mismatch can mislead users and downstream agents into granting broader trust or permissions than intended, increasing the risk of unintended account modification.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The `refresh` command accepts an arbitrary `tweet_id` and calls `client.get_tweet(...)` without verifying that the tweet belongs to the authenticated user or matches the skill's stated scope of personal timeline analytics. This creates a capability expansion beyond the manifest, allowing retrieval and local persistence of any tweet readable through the user's API access, which is dangerous because users and downstream agents may trust the skill to operate only on the user's own posts.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README emphasizes persistent local storage of fetched tweets and account data but does not warn users that potentially sensitive account activity, mentions, bookmarks, and profile information will be written to disk. On shared machines, developer workstations, backups, or poorly secured environments, this can expose private or sensitive data beyond the live API session.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to set up the skill without clearly warning that it requires X API credentials and access to account data such as tweets, mentions, bookmarks, and profile analytics. Insufficient disclosure can cause users or agent operators to supply sensitive credentials without understanding the scope of access or the consequences of compromise.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The guide instructs users to collect and retain five sensitive X API credentials, but it does not provide explicit operational security guidance such as never sharing them, avoiding commits to source control, and restricting file access. In a setup document for an agent skill, that omission increases the risk of accidental credential exposure and downstream account/API abuse.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The bookmark add/remove commands perform write actions against the user's X account, but the skill documentation does not clearly warn that these are state-changing operations requiring explicit confirmation. That increases the chance an agent could invoke them as if they were harmless reads, causing unintended account modifications.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script persists fetched posts and mentions, including tweet text, author identifiers, usernames, and follower counts, to local JSON files without any notice, consent flow, or retention controls visible in this file. Because this skill handles personal social-media data and potentially third-party content from mentions, undisclosed local retention increases privacy risk if the host is shared, backed up, or later accessed by other tools.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The script appends follower history to persistent configuration over time without any visible disclosure that profile metrics are being retained longitudinally. While lower sensitivity than raw tweet content, this still creates a behavioral/account-growth history that can reveal usage patterns and may be unexpected to the user.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The script persists fetched tweet content and metadata to a local JSON cache, but the CLI behavior shown here does not provide a clear user-facing notice or consent mechanism about that retention. In a personal analytics skill, this can expose sensitive or unexpected content locally to other users, backups, or later tooling, especially when reading bookmarks, mentions, replies, or deleted/private-context material that the user may not expect to be stored indefinitely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal