Twitter Article
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill matches its Twitter/X article-sync purpose, but it requires full browser session cookies and can publish or delete public X Articles, so it should be reviewed carefully before use.
Only install or run this skill if you are comfortable giving it Twitter/X browser session cookies and allowing it to create, update, publish, or delete X Articles. Review commands before execution, avoid using your main account if possible, and treat AUTH_TOKEN, CT0, and any Notion key as sensitive credentials.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these cookies are mishandled or used unexpectedly, the user’s X account session could be abused to perform account actions beyond the intended article sync.
The skill asks the user to provide browser session cookies for Twitter/X. These cookies can represent broad account authority, not just narrowly scoped permission to manage articles.
export AUTH_TOKEN="<twitter auth_token cookie>"; export CT0="<twitter ct0 cookie>" ... Cookies 认证:`AUTH_TOKEN` + `CT0`(从浏览器获取)
Use a dedicated account if possible, avoid sharing browser cookies with untrusted code, rotate/logout sessions after use, and prefer a scoped official OAuth/API integration if available.
A user may install or approve the skill thinking it needs no credentials, then later be asked for highly sensitive browser-session cookies.
This registry metadata conflicts with the SKILL.md instructions and code, which require AUTH_TOKEN and CT0 cookies. The credential requirement is materially under-declared.
Required env vars: none ... Primary credential: none
Update the metadata to declare the required Twitter/X cookies and Notion key clearly, including the risks and exact scope of what the skill can do.
Running the wrong command or allowing the agent to run it without review could publicly post or delete article content.
The skill exposes commands that can publish or delete X Articles. This is aligned with its purpose, but these are high-impact account mutations.
`publish --id <id>` | 发布 ... `delete --id <id>` | 删除
Require explicit user confirmation before publish or delete actions, and verify the target article ID and content before executing those commands.