ClawHub
Back to skill

Security audit

twitter-ai-kol-fetcher

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it embeds a fallback Twitter API key and inaccurately claims it saves no local files while writing cached data to /tmp.

Review before installing. Remove the embedded Twitter API key and use your own scoped credentials, assume tweet/topic data may be sent to OpenRouter, and do not rely on the stated no-local-file behavior unless you add deletion or redirect the /tmp cache yourself.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation indicates access to environment variables, local files, file writes, and network services, but no permissions are explicitly declared. That creates a transparency and consent problem: users and hosting platforms cannot accurately assess what the skill will access before execution. In this context, the risk is amplified because the workflow handles API keys and transmits collected content to third-party services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose sounds like a simple Twitter monitoring/reporting skill, but the documented behavior also includes reading API keys from config/environment, persisting data locally, sending content to external LLM services, and even using a fixed default Twitter API key according to the finding. This mismatch prevents informed consent and can lead to unintended secret use, third-party data disclosure, and unreviewed external API activity.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documentation claims that no local files are saved, yet the skill also instructs users to create a local config.json and describes generation/deletion of temporary files. This inconsistency can mislead users about where secrets and generated content reside, increasing the chance of accidental retention, leakage, or improper handling of sensitive data on disk.

Context-Inappropriate Capability

Low
Confidence
97% confidence
Finding
The code loads an API key from config and also embeds a default API key directly in source. Hardcoded credentials are dangerous because anyone with source access can reuse the key, exhaust quota, incur charges, or abuse the associated account, and local config loading can unintentionally broaden where secrets are sourced from without validation.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad and match common user requests such as '抓取 Twitter' or 'AI 领域最新动态', increasing the chance the skill activates in contexts where users did not specifically intend external data collection and third-party transmission. In this skill, overbroad triggering is more dangerous because activation can lead to network access, secret use, and automated outbound reporting.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill description does not warn users that collected Twitter content and derived topics may be sent to external LLM providers for classification and report generation. That omission undermines informed consent and may create confidentiality, compliance, or policy issues if the collected material or prompts contain sensitive internal context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends aggregated tweet text, author handles, keywords, and topic summaries to an external LLM API without any explicit notice, consent gate, or configuration flag indicating that third-party processing will occur. In an agent skill context, this can cause unanticipated data sharing, privacy issues, and compliance problems, especially if the input dataset contains non-public, sensitive, or licensed content.

External Transmission

Medium
Category
Data Exfiltration
Content
return "API key not configured"

    try:
        response = requests.post(
            "https://openrouter.ai/api/v1/chat/completions",
            headers={
                "Authorization": f"Bearer {OPENROUTER_API_KEY}",
Confidence
92% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
return "API key not configured"

    try:
        response = requests.post(
            "https://openrouter.ai/api/v1/chat/completions",
            headers={
                "Authorization": f"Bearer {OPENROUTER_API_KEY}",
Confidence
92% confidence
Finding
requests.post( "https://openrouter.ai/api/v1/chat/completions", headers={ "Authorization": f"Bearer {OPENROUTER_API_KEY}", "Content-Type": "appl

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.