Skillv1.0.0

ClawScan security

Tweet Pipeline · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 8:40 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill claims to use a NOTION_API_KEY and python only, but the included scripts access local 1Password secrets, a local Twitter credentials file, and hardcoded user-specific binaries/paths that are not declared — the requirements and runtime behavior are inconsistent and deserve review before use.
Guidance: This skill is not outright malicious, but it is inconsistent and requires careful review before use. Key concerns: (1) The scripts do not use the declared NOTION_API_KEY env var — they invoke the 1Password CLI (op) and read a local service token file to pull the Notion key from 1Password; (2) Twitter credentials are read from a local file (~/.xurl), not from declared env vars; (3) the scripts call hardcoded user-specific binaries and paths (a specific python in /Users/loki, /opt/homebrew node, ~/.npm-global/bin/openclaw) that may not exist and reveal assumptions about the developer's machine; (4) there is subprocess usage of 'op' and 'openclaw cron add' which will access your password manager and schedule jobs on your system. Recommended actions before installing or running: - Ask the author to explain why NOTION_API_KEY is declared but not used, and to list all required binaries (op, node, openclaw CLI). - Inspect and/or sanitize ~/.xurl and remove sensitive credentials, or modify scripts to accept Twitter creds via environment variables instead of reading a local file. - Replace hardcoded paths with configurable values or relative paths. - Run the scripts in a controlled sandbox or test account first (dry-run mode is provided). - Ensure you are comfortable granting the skill access to your 1Password service account token and to schedule crons on your machine; if not, do not run it. - Because the refresh logic contains buggy/undefined variables, review and fix that function before trusting automatic token refresh or credential writes.

Review Dimensions

Purpose & Capability: concernThe skill description says it reads Notion and posts to X/Twitter and declares NOTION_API_KEY as the primary credential. However, both scripts do not use an environment NOTION_API_KEY; instead they call the 1Password CLI ('op') and read ~/.config/openclaw/.op-service-token plus op:// paths to retrieve the Notion key. They also read a local YAML file (~/.xurl) for Twitter OAuth1 credentials. The code expects other local tools/paths (op, node, openclaw CLI, specific python path and home-directory paths) that are not declared in the metadata.
Instruction Scope: concernSKILL.md describes polling Notion and scheduling crons, which matches high-level behavior, but the runtime instructions in the scripts go beyond that: they read local config and secret files, execute the 1Password CLI via subprocess, schedule crons by calling a hardcoded node+openclaw binary, and write a state file under ~/.openclaw. The poster script also contains a token-refresh function that references undefined variables and may attempt to read/write local credential files. The instructions therefore access filesystem and credential sources not described in the skill metadata.
Install Mechanism: noteThere is no install spec (instruction-only), so nothing will be downloaded at install. That lowers install-time risk, but the scripts call external binaries (op, node, openclaw, a specific python under /Users/loki/.pyenv) that are assumed to exist. The skill metadata only required python3; it does not declare 'op' or the openclaw/node binaries it will invoke.
Credentials: concernThe declared required env vars list only NOTION_API_KEY, yet the code ignores that env var and instead requires access to other secrets: a local service-account token file (~/.config/openclaw/.op-service-token) used with the 1Password CLI and a local YAML (~/.xurl) containing Twitter consumer/access tokens. These undeclared secrets and file reads are disproportionate to the declared requirement and are security-relevant.
Persistence & Privilege: notealways:false and the skill writes only its own state file (~/.openclaw/workspace/memory/scheduled-tweets.json) and schedules one-shot crons via the openclaw CLI. It does modify Notion pages (updating Status/Posted At), which is expected for a poster. It does not declare 'always:true' or modify other skills, but cron scheduling and reliance on local CLI tools means it creates persistent scheduled work on the host if run.