Skillv0.1.0

ClawScan security

Storyclaw X Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 3:50 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly implements X/Twitter actions as described, but there are multiple mismatches between the declared requirements/instructions and the actual code (credential handling, unused env vars, missing dependency declarations, and unimplemented features), so proceed with caution.
Guidance: What to consider before installing: - The code implements the advertised X/Twitter actions and talks only to api.twitter.com, but the skill is sloppy about how it expects credentials. It declares required TWITTER_* env vars in metadata but the Python scripts ignore environment variables and instead load plaintext credentials from credentials/{USER_ID}.json. That means you must store Twitter tokens locally in that credentials/ folder for each user — which is sensitive and could be read by others with file access. - There is no install script or dependency list. The scripts import 'requests' (and optionally 'twitterv2') but the skill won't install these for you; running will fail unless those Python packages are present. - SKILL.md mentions auto-interaction and state/{USER_ID}.json configuration, but none of the provided scripts implement that. The presence of a 'bind at storyclaw.com' message in a script is suspicious/unclear (code does not contact that domain) — ask the author to clarify whether an external service is required or used. - If you decide to use this skill: only supply tokens you can revoke, use minimal-permission tokens where possible, store credentials with restrictive file permissions, run the skill in an isolated environment (container or VM), review and/or remove references to external services, and consider modifying the code to read environment variables if you prefer not to keep plaintext credential files. If you need absolute assurance, request an updated version that: (1) consistently uses either env vars or credential files (not both), (2) documents and installs required Python packages, and (3) removes or explains any references to external domains such as storyclaw.com.

Review Dimensions

Purpose & Capability: noteThe scripts implement posting, liking, replying, retweeting, timeline, user tweets, and search via api.twitter.com, which matches the stated purpose. However the metadata and SKILL.md require environment variables (TWITTER_*), while the scripts consistently load per-user credentials from credentials/{USER_ID}.json and do not read os.environ. The primaryEnv is TWITTER_API_KEY, but the code primarily uses bearer_token (and sometimes multiple credentials), so the declared primary credential does not match runtime behavior.
Instruction Scope: noteSKILL.md instructs storing credentials in credentials/{USER_ID}.json (which code does), and describes an auto-interaction workflow using state/{USER_ID}.json — but none of the provided scripts read or write state/* or implement auto-interaction/analysis. The scripts make only requests to api.twitter.com endpoints (no hidden endpoints), and only read the credentials files under the skill directory. The SKILL.md also mentions prompting users to bind via an external domain (storyclaw.com) even though the code never contacts that domain.
Install Mechanism: okThere is no install spec (instruction-only skill), so nothing is automatically downloaded or executed at install time. Scripts rely on python3 and third-party Python packages (requests, optionally 'twitterv2') but there is no mechanism to install those; this is an operational omission rather than a direct installation risk.
Credentials: concernThe skill declares five TWITTER_* environment variables as required and marks TWITTER_API_KEY as primary, yet the code does not read environment variables and instead expects per-user JSON credential files. Requesting all five env vars may be excessive or misleading because many script calls use only bearer_token; the declared env requirements therefore do not match how credentials are accessed at runtime. Also, the skill stores sensitive tokens in plaintext JSON files under credentials/, which raises confidentiality concerns if the host/workspace is shared.
Persistence & Privilege: okalways is false and the skill does not request persistent system-wide modifications or cross-skill config changes. It only reads credentials from its own credentials/ directory and runs ephemeral scripts; no elevated persistence is requested.