ClawHub

Twitter Auto Engage

Security checks across malware telemetry and agentic risk

Overview

This skill is a Twitter/X automation guide that can post public replies and likes using session cookies, but the runnable code it references is not included for review.

Review carefully before installing. Do not provide a primary Twitter/X session cookie or OpenAI key unless you have obtained and audited the missing auto_engage.py and rnet_twitter.py files, understand exactly where credentials go, and are comfortable with scheduled automated likes and public replies. Prefer a test account, scoped official API/OAuth credentials where possible, restrictive file permissions for cookies, and manual approval before posting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description is broad enough to encourage autonomous social-media actions without clearly constraining when it should run, under what approval model, or what accounts/content are in scope. In a skill that can post and like from a user's Twitter account, vague invocation criteria materially increase the risk of accidental or unintended account activity.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill performs consequential actions on the user's behalf—liking tweets and posting generated replies—but the description does not prominently warn that it will directly affect the user's public account. That omission can lead to users invoking the skill without appreciating reputational, policy, or account-enforcement risks from automated engagement.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup instructions require highly sensitive credentials—an OpenAI API key and exported Twitter session cookies—but do not present a strong, explicit warning about the security implications of storing and handling them. Browser session cookies effectively grant account access, so weak guidance here increases the chance of account takeover or credential leakage through logs, files, or source control.

VirusTotal

No VirusTotal findings

View on VirusTotal