ClawHub

Twitter Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent Twitter/X automation, but it can publish live posts, replies, and quote tweets from an agent without built-in preview or approval controls.

Install only if you are comfortable giving an agent write access to a live Twitter/X account. Prefer a test or dedicated account, review each generated post before execution, avoid broad autonomous posting commands, and rotate or revoke the Twitter and 6551 tokens when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The skill advertises AI-assisted hot-topic discovery and Claude-based generation, but the provided content only documents direct posting/reply/quote actions plus manual curl examples. This mismatch can mislead users and orchestrators into invoking a write-capable social-media skill under assumptions about safeguards, automation logic, or review steps that do not actually exist.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README encourages users to let the agent fetch, generate, and publish Twitter content, but it does not clearly warn that these actions result in live public posts and replies on the user's behalf. In an automation skill with write-capable social media credentials, lack of explicit disclosure increases the risk of unintended posting, reputational harm, and accidental spam or policy violations.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The skill is user-invocable and capable of posting public content, yet its description provides no tight constraints on when automation should run, what approvals are required, or what content is prohibited. Broad invocation semantics increase the risk of accidental spam, impersonation, reputational harm, or misuse in high-trust agent workflows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script performs a state-changing action that publishes content publicly to a Twitter/X account immediately when invoked, with no confirmation prompt, dry-run mode, or explicit warning. In an agent/automation context, this increases the risk of accidental or unauthorized public posting, especially if upstream inputs are generated by other services or LLMs.

External Transmission

Medium
Category
Data Exfiltration
Content
### Step 1 — Fetch trending tweets (via 6551 opentwitter)

```bash
curl -s -X POST "https://ai.6551.io/open/twitter_search" \
  -H "Authorization: Bearer $TWITTER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"keywords": "AI crypto", "minLikes": 500, "product": "Top", "maxResults": 10}'
Confidence
95% confidence
Finding
curl -s -X POST "https://ai.6551.io/open/twitter_search" \ -H "Authorization: Bearer $TWITTER_TOKEN" \ -H "Content-Type: application/json" \ -d '{"keywords": "AI crypto", "minLikes": 500, "produ

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal