ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

X Manager

v0.1.0

Manage X (Twitter) accounts — post tweets, like, reply, retweet, view timeline, search, auto-interact, analyze data.

0· 231·1 current·1 all-time
byParker@patches429
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the code and required credentials: the scripts implement posting, liking, replying, retweeting, timeline and search using Twitter API calls and per-user credentials.
Instruction Scope
SKILL.md and scripts confine actions to Twitter API calls and per-user credential files under credentials/{USER_ID}.json. Minor scope mismatches: SKILL.md lists env var usage as an alternative, but the scripts always load credentials from credentials/{USER_ID}.json (they do not read TWITTER_* env vars). No instructions attempt to read unrelated system files or exfiltrate data to external endpoints.
Install Mechanism
Instruction-only skill with no install spec (no code downloaded at install time). Scripts import requests and optionally a 'twitterv2' library; the skill does not declare these Python deps, so the environment must already provide them. This is a usability/robustness omission, not an obvious security hazard.
Credentials
Declared required env vars are all Twitter-related and appropriate for the stated purpose. However, the code does not actually read those env vars and instead requires per-user credential files, so the metadata's required-env list is inconsistent with implementation — a minor coherence issue but not direct evidence of malicious intent.
Persistence & Privilege
Skill is not always-enabled and is user-invocable; it does not request system-wide config changes or other skills' credentials. It stores/reads credentials in its own credentials/ directory as expected for a multi-user skill.
Assessment
This skill appears to do what it says, but check these things before installing: 1) It expects per-user credential files in credentials/{USER_ID}.json — ensure you are comfortable storing API keys in that location and protect that directory. 2) The SKILL metadata lists TWITTER_* env vars but the scripts ignore them — decide whether you prefer env-based or file-based credentials and adjust accordingly. 3) The scripts use the 'requests' library and optionally a 'twitterv2' client but no install steps are provided; ensure your environment has those packages. 4) Verify the Twitter API tier and tokens you provide are appropriate (some endpoints require elevated privileges). 5) Note a stray string referencing storyclaw.com in an error message — benign by itself, but if you need external hosting or redirects, confirm the origin. If you want higher assurance, ask the author for a documented install/requirements file and clarify whether env vars or credential files are the intended auth mechanism.

Like a lobster shell, security has layers — review code before you run it.

latestvk970j1m8nb97b3h3za6msrzycs82kd3s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐦 Clawdis
Binspython3
EnvTWITTER_API_KEY, TWITTER_API_SECRET, TWITTER_ACCESS_TOKEN, TWITTER_ACCESS_TOKEN_SECRET, TWITTER_BEARER_TOKEN
Primary envTWITTER_API_KEY

Comments