X

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed X/Twitter API client, but OAuth mode can read private account data and post publicly from the user’s account.

Install only if you are comfortable giving this skill X API credentials. Use bearer-token mode for public read-only lookups, enable OAuth only when you need bookmarks, likes, or posting, protect ~/.openclaw/x with restrictive permissions, set X API spending limits, and require explicit approval before any agent posts a tweet.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (4)

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The OAuth flow grants scopes including tweet.write and offline.access and stores resulting tokens locally in ~/.openclaw/x/tokens.json, but the setup text does not clearly warn users that authorization enables posting and persistent account access. In a skill that can post to X and access bookmarks/likes, this omission can lead users to grant broader, longer-lived access than they realize.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation includes posting tweets and accessing bookmarks/liked tweets, which can expose private account data or perform irreversible account actions, but it does not prominently warn that these are sensitive operations requiring explicit user consent. In an agent setting, this increases the risk of accidental privacy violations or unintended posting on behalf of the user.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: OAuth tokens are saved to disk in a predictable location without setting restrictive file permissions or warning the user that long-lived credentials will be stored locally. If another local user or process can read the file, it could hijack the X account session and perform authenticated actions such as reading bookmarks or posting tweets.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The post command sends a tweet immediately using the authenticated user token, with no confirmation prompt, dry-run mode, or clear warning that the action is externally visible and effectively irreversible. In an agent context, this increases the risk of accidental or prompt-induced posting on behalf of the user.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal