ClawHub

X Auto-Tweet (Browser)

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it advertises, but it can control a logged-in X account and publish posts with weak guardrails.

Install only if you are comfortable letting the skill act through a logged-in X session. Use a dedicated browser profile or test account, keep per-post approval enabled, avoid cron/full-auto mode unless you add strict limits and a kill switch, review local queue/history files, and do not rely on the skill's ToS or 'credential-free' claims as security guarantees.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation claims the skill is 'credential-free' and contains 'no passwords, no private data,' but the workflow explicitly depends on a logged-in X browser session and accesses a personalized feed. This is misleading because authenticated browser sessions are credentials in practice, and personalized trend data may expose private or account-linked information to the skill and downstream systems.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The workflow contains contradictory safety guarantees: it promises no auto-posting without approval, then later permits full automatic posting within predefined guidelines. This can cause operators to overtrust the skill and enable unattended social-media actions that may publish unintended, harmful, or policy-violating content.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script appends the entire queue to history and then clears the queue unconditionally, even when some tweets failed to post. This creates data integrity loss: failed or unposted items are marked as processed/archived and removed from the retry queue, which can silently drop content and produce inaccurate audit history.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The quick start explicitly tells the user to run a posting script against their already authenticated browser session, which can publish content to the user's X account. While the example text is benign, the documentation does not prominently warn that executing the command performs a real account action, so a user could trigger unintended posting or underestimate the risk of account misuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes attaching to an already logged-in browser session to post, scrape, and monitor activity on X without clearly disclosing the security, privacy, and account-enforcement risks. In this context, the skill operates with the full privileges of the user's authenticated session, so misuse, prompt-driven abuse, or overly aggressive automation could expose private account data, perform unauthorized actions, or lead to account restriction or suspension.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Telegram approval flow introduces a third-party data transfer path but the README does not clearly warn that generated tweet ideas, trends, mentions, or other account-related content may be sent outside the local environment. This is dangerous because users may unknowingly disclose sensitive business plans, private account context, or scraped content to Telegram, expanding the attack surface and creating compliance and confidentiality risks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill describes scraping personalized X trends and, elsewhere, sending generated ideas to Telegram, but it does not provide a clear privacy warning about collecting personalized feed data or transmitting derived content externally. This creates a risk that users expose account-tailored interests, behavioral signals, or sensitive topical context without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation does not clearly warn that browser automation operates through the user's authenticated X account and can publish content on that account, including in scheduled or automated modes. In this context, omission is dangerous because users may underestimate the risk of unintended posting, account misuse, or policy violations when enabling cron-based automation.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The phrase presented as a ready-to-use trigger is broad natural language that could plausibly appear in ordinary conversation, making accidental activation more likely in systems that map user text directly to actions. In a skill that navigates X, generates content, and may later post to an account, ambiguous invocation increases the risk of unintended workflow execution.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manual command examples are written as free-form conversational prompts without scope boundaries, authentication expectations, or confirmation requirements. In an agent environment, this can blur the line between casual discussion and actionable commands, leading to unintended scraping, message sending, or tweet posting behavior.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The README states that the skill automatically creates a local data directory and stores tweet content, approval queues, trend data, and posting history, but it does not clearly warn users about the privacy and retention implications of that local storage. While this is not an active exploit, it is a real security/privacy weakness because users may unknowingly retain sensitive or account-linked social media data on disk, where it could later be exposed through local compromise, backups, or accidental sharing.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This code immediately connects to a local browser session and posts content to X without an interactive confirmation, dry-run mode, or stronger operator acknowledgement. In an agent/automation context, that raises the risk of unintended external actions, account misuse, or accidental publication of queued content if the script is invoked in the wrong environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script overwrites the queue file with an empty array after processing, without conditioning that action on all posts succeeding. In practice this can destroy pending work and eliminate recovery options after transient posting errors, especially since the history file may now contain items that were never actually posted.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script connects to an existing authenticated browser session and clicks the live X/Twitter post button immediately after filling attacker- or caller-controlled text, with no user review, confirmation, dry-run mode, or account verification. Because posting to a social media account is an externally visible and effectively irreversible action, any upstream misuse, prompt injection, bad tool invocation, or unexpected input can cause unauthorized public posts from the user's real account.

Session Persistence

Medium
Category
Rogue Agent
Content
- [ ] Test trend scraping
- [ ] Test posting
- [ ] Build auto-tweet flow
- [ ] Add cron job for automation
- [ ] Monitor mentions
- [ ] Strategic liking/RTing
Confidence
69% confidence
Finding
Add cron job for

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal