ClawHub

X Twitter Collector

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it uses a browser to collect public X/Twitter posts and save local reports, with privacy and cleanup caveats.

Install only if you are comfortable with the agent using your OpenClaw browser profile to view X/Twitter and saving public posts, links, metrics, and screenshots locally. Use explicit @handles and time ranges, avoid private or sensitive targets, and periodically delete reports/screenshots you no longer need.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The documented trigger verbs are extremely generic terms such as '收集', '整理', '获取', '分析', and '监控', which are common in ordinary user conversations. In an agent skill system, overly broad triggers can cause accidental invocation in unrelated contexts, leading the skill to access X/Twitter content, perform browser actions, or generate screenshots/reports when the user did not explicitly intend to call this skill.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly states that screenshots will be generated and reports saved to disk, but it does not warn users that collected content, links, screenshots, and account monitoring results may be written to local storage. This creates a privacy and data-governance risk because users may unknowingly retain sensitive browsing artifacts or collected social-media data on disk, especially in shared or synced workspaces.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly instructs capturing full-page screenshots and detailed tweet metadata, then storing and attaching them in reports, but it does not provide concrete guidance on retention, access control, redaction, or downstream sharing risks. Even for public accounts, screenshots can preserve sensitive context, incidental personal data, or deleted content in a durable form, increasing privacy and compliance exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal