Skillv1.1.0

ClawScan security

Social Media Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 13, 2026, 1:04 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions line up with its stated purpose (browser-driven X/Twitter automation) but omit important details about how it obtains and uses authenticated browser sessions and how autonomous posting is performed, which raises operational-security and scope concerns you should understand before installing.
Guidance: This skill appears to be what it says (browser-driven X posting and engagement) but it depends on controlling a browser session. Before installing or enabling it: (1) Understand which browser/profile it will use and ensure that profile does not contain other logged-in accounts or sensitive sessions. Avoid exposing remote debugging ports to the network; prefer a dedicated, isolated browser profile or a throwaway account for testing. (2) Confirm whether the skill will require per-post approval or will post autonomously — if you want control, require manual confirmation in the agent's policy. (3) Be aware that screenshots, page DOM access, and automated clicks can capture sensitive page content; review memory/log storage location and retention (memory/social-log.json). (4) Test with a non-critical account and limited permissions first. If these points are unacceptable or unanswered by the publisher, treat the skill as risky.

Review Dimensions

Purpose & Capability: okName/description (autonomous X posting, content generation, engagement) match the SKILL.md: it uses browser automation, web_fetch, cron, sessions_spawn and memory to research, draft, post, and log tweets. No requested env vars or external APIs is consistent with a browser-driven approach.
Instruction Scope: concernInstructions explicitly require controlling a browser (Chrome remote debugging or OpenClaw's built-in browser) to sign in and post, but the skill does not explain where or how authentication is supplied or consented to. Using remote debugging or an automated browser session means the skill can access cookies, session tokens, and any pages that browser profile is logged into — a sensitive capability not described or gated. The runtime steps (snapshots, typing, clicking) are coherent for posting but give the agent broad ability to interact with any site the browser has access to.
Install Mechanism: okInstruction-only skill with no install spec or code files; nothing is downloaded or written by an installer. This minimizes supply-chain risk, but the runtime uses built-in platform tools (browser, web_fetch, sessions_spawn) which are where the operational risk lies.
Credentials: noteNo env vars or external credentials are requested, which is proportionate if posting via an already-authenticated browser. However, the skill implicitly requires access to an authenticated browser/profile (or remote-debugging port). That implicit requirement can expose other site sessions and secrets (cookies, stored logins) even though no explicit credentials are listed.
Persistence & Privilege: notealways:false and user-invocable:true (normal). The SKILL.md recommends using sessionTarget: "isolated" and payload.kind: "agentTurn" for autonomous posting — i.e., the skill is designed to run autonomously once invoked. Autonomous posting plus browser access increases potential impact (unauthorized posts or unintended interactions) if not properly scoped or reviewed by the user.