X

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward X API client whose account access, posting ability, OAuth flow, and local token storage are disclosed, though users should treat OAuth mode and posting as sensitive.

Install only if you are comfortable giving the skill X API credentials. Use bearer-token mode for read-only public lookups when possible, enable OAuth only for bookmarks, likes, or posting, set X API spending limits, protect ~/.openclaw/x with restrictive permissions, and review exact tweet text before posting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documentation advertises network access and file output/redirection behavior, but the manifest does not declare corresponding permissions. Undeclared capabilities weaken trust boundaries for the agent/runtime because users and policy systems cannot accurately assess that the skill can contact external services and write data to disk.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The documented purpose is narrower than the inferred behavior: OAuth browser flow, localhost callback handling, persistent token storage, token refresh, and richer bookmark export/processing all introduce additional attack surface and data-handling risk. When a skill understates authentication, persistence, and export features, users may unknowingly authorize broader access or expose sensitive account data.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The setup guide instructs users to write bearer tokens and API secrets directly into JSON files under ~/.openclaw/x without any permission-hardening guidance. While storing local credentials is common, omitting warnings about plaintext-at-rest and restrictive file permissions increases the chance that other local users, backups, logs, or malware can recover reusable API credentials.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill includes a posting command that performs a public state-changing action, but it does not warn that tweeting is externally visible and may be difficult or impossible to fully retract once observed. In an agent context, missing friction or confirmation can lead to accidental posting, reputational harm, or disclosure of sensitive information.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The quickstart instructs users to persist an X API bearer token in a local plaintext credentials file without any warning about secure storage, file permissions, or the sensitivity of the token. Bearer tokens can grant direct API access, so local exposure through shared machines, backups, logs, or permissive filesystem settings could allow unauthorized use of the associated account or app.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The OAuth examples introduce commands for bookmarks, likes, and posting but do not warn that these operations may access private account data or perform write actions on behalf of the user. In an agent skill context, omission of consent and scope warnings increases the chance that users invoke capabilities without understanding the privacy and account-action implications.

Missing User Warnings

Medium

Confidence: 71% confidence
Finding: The command can print a user's bookmark contents, linked URLs, and raw JSON without any explicit privacy/sensitivity warning at the point of use. In an agent-skill context, bookmarks are highly personal data, so easy bulk disclosure to stdout can cause unintended exposure if output is logged, shared, or shown to another party.

Credential Access

High

Category: Privilege Escalation
Content: def refresh_access_token(): """Refresh OAuth access token using refresh_token.""" import time import base64
Confidence: 82% confidence
Finding: access token

Credential Access

High

Category: Privilege Escalation
Content: expires_at = issued_at + expires_in if time.time() >= expires_at - 60: # Refresh 60s before expiry print("🔄 Access token expired, refreshing...", file=sys.stderr) tokens = refresh_access_token() token = tokens.get("access_token")
Confidence: 79% confidence
Finding: Access token

Session Persistence

Medium

Category: Rogue Agent
Content: ## Setup (30 seconds) ```bash # 1. Create credentials file mkdir -p ~/.openclaw/x cat > ~/.openclaw/x/credentials.json <<EOF {
Confidence: 90% confidence
Finding: Create credentials file mkdir -p ~/.openclaw/x cat > ~/.openclaw

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal