Prompt injection instructions
Warn
- Finding
- Prompt-injection style instruction pattern detected.
X Social Manager Dist
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s X/Twitter management purpose is coherent, but it asks the agent to automatically install external tooling via an unpinned remote shell/package flow before using your X account credentials.
Install only if you are comfortable letting an agent manage your X/Twitter account. Preinstall and review `twitter-cli` and `uv` yourself if possible, do not let the agent run curl-to-shell installers without confirmation, verify which X account is authenticated, and require explicit approval before any post, reply, follow, like, delete, or DM action.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A remote installer or unpinned package could change over time or behave unexpectedly, and it would run in the user's environment before interacting with the user's X account.
Why it was flagged
The skill directs the agent to run an unpinned remote installer and then install an external CLI package automatically, despite being described as instruction-only. That external tooling will be used with the user's X/Twitter session.
Skill content
If `uv` is NOT available, install it first: `curl -LsSf https://astral.sh/uv/install.sh | sh` then `uv tool install twitter-cli`
Recommendation
Preinstall and review pinned versions of `uv` and `twitter-cli` yourself, or require explicit confirmation before the agent runs any installation command.
What this means
Approved or mistaken commands could publish content, delete posts, follow accounts, or otherwise change the user's X account.
Why it was flagged
The CLI reference exposes commands that can mutate a public X/Twitter account. This is expected for a social media manager, but these actions can affect reputation and account state.
Skill content
`twitter post "Post text here" --json` ... `twitter reply TWEET_ID "Reply text" --json` ... `twitter delete TWEET_ID` ... `twitter follow HANDLE`
Recommendation
Require a clear preview and explicit approval for every public or account-changing action, not only original posts.
What this means
Anyone or any tool with access to these tokens may be able to act as the user's X/Twitter account, depending on the provider and CLI behavior.
Why it was flagged
The skill requires X/Twitter authentication material. This is purpose-aligned, but those credentials can enable account access through the CLI.
Skill content
Required env vars: TWITTER_AUTH_TOKEN, TWITTER_CT0
Recommendation
Use the narrowest authentication method available, keep tokens out of shared logs or repositories, and revoke/rotate them if no longer needed.
What this means
The external CLI may use the user's existing X session to perform reads and writes as that account.
Why it was flagged
The skill expects an authenticated browser session for X/Twitter. Browser-session based auth is sensitive because it relies on existing logged-in identity.
Skill content
An active X (Twitter) session in your browser (for cookie-based auth)
Recommendation
Only use this skill on a device and account you trust, and confirm which account is authenticated before allowing any posting or engagement workflow.
What this means
Personal strategy notes, engagement history, leads, and account insights may accumulate locally and be reused in future sessions.
Why it was flagged
The skill maintains persistent memory across sessions, including account performance, audience intelligence, leads, and voice patterns. This is disclosed and useful for personalization, but it creates long-lived local records.
Skill content
Append new entries after every significant interaction. Never delete old entries.
Recommendation
Periodically review and prune the memory files if they contain sensitive or outdated information, despite the skill's default 'never delete' instruction.
What this means
The local archive may contain personal wording, opinions, or context that the user did not intend to persist indefinitely.
Why it was flagged
The skill stores exact historical replies to imitate the user's voice. This is purpose-aligned, but it preserves behavioral and stylistic data for reuse.
Skill content
This file contains the user's actual replies word-for-word ... Populated during onboarding by fetching the user's real replies
Recommendation
Review the archive after onboarding and remove any replies that should not be stored or reused.
What this means
Additional local agents may read memory, archives, and account research files when invoked for drafting, research, or strategy updates.
Why it was flagged
The skill defines multiple specialized sub-agents and has the main agent create their persistent prompts. This is disclosed, but the exact host-specific paths and boundaries are not specified in the artifact.
Skill content
The main agent reads this file and creates the sub-agent files in whatever format the host IDE requires.
Recommendation
Confirm where sub-agent files will be created and what tools each sub-agent can use before enabling that feature.