Tweet Pipeline

Security checks across malware telemetry and agentic risk

Overview

This skill matches its automation goal, but it can publish to X/Twitter and modify Notion using under-disclosed local credentials and persistent scheduled jobs.

Review before installing. Only use this skill on a machine where you intentionally want OpenClaw cron jobs, 1Password-backed Notion access, and the ~/.xurl X/Twitter profile to be used for live posting. Run --dry-run first, add a Platform=Twitter filter, replace hard-coded local paths, confirm the target X account, and inspect scheduled OpenClaw crons after use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (7)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: "--model", "sonnet", "--timeout-seconds", "60", ] result = subprocess.run(cmd, capture_output=True, text=True) if result.returncode == 0: print(f" ⏰ Cron scheduled for {cron_time} AEST") else:
Confidence: 86% confidence
Finding: result = subprocess.run(cmd, capture_output=True, text=True)

Tainted flow: 'req' from open (line 110, file read) → urllib.request.urlopen (network output)

High

Category: Data Flow
Content: "Authorization": f"Basic {basic}", "Content-Type": "application/x-www-form-urlencoded", }) tokens = json.loads(urllib.request.urlopen(req).read()) user["access_token"] = tokens["access_token"] if "refresh_token" in tokens: user["refresh_token"] = tokens["refresh_token"]
Confidence: 97% confidence
Finding: tokens = json.loads(urllib.request.urlopen(req).read())

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill metadata declares runtime requirements and outbound network use, but it does not declare a clear permissions model for sensitive capabilities such as shell execution, file writes, environment access, and network actions. That gap reduces transparency and prevents users or policy systems from accurately assessing what the skill can do before execution, which is especially risky for an automation that can schedule jobs and interact with external services.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented behavior does not accurately match the implemented behavior: the skill reportedly updates Notion records, posts overdue items immediately, and uses OAuth1 credentials from local configuration instead of the stated OAuth2 flow. This mismatch is dangerous because operators may grant access based on an incomplete understanding, leading to unintended writes to external systems and use of unexpected credential sources.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill metadata says tweets are posted via X/Twitter OAuth2 API, but the implementation actually loads OAuth 1.0a secrets from `~/.xurl` and signs requests manually. This discrepancy is dangerous because it misleads reviewers and operators about which credentials are required, where they are stored, and what security controls or revocation procedures apply.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The comment claims OAuth1 refresh is unnecessary and the function is kept only for compatibility, but the body performs an OAuth2 token refresh and writes credential data locally. Misleading comments around authentication code are dangerous because they can hide sensitive behavior from reviewers, causing insecure dead code to persist and increasing the chance of accidental activation or unsafe maintenance changes.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This skill performs outbound actions that can modify external accounts and data, including reading from Notion and posting to a social media account, but the user-facing description lacks an explicit warning about those effects. In an automation context, that omission increases the chance of accidental account activity, unintended posts, or unexpected data changes because users may treat the skill as passive scheduling logic rather than an active publisher.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal