ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw X

v0.2.2

Control your X/Twitter account — view timeline, search tweets, post, like, retweet, bookmark.

2· 525·0 current·0 all-time
by@bosshuman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the instructions: the skill uses a local service that drives X using browser session cookies. Asking for a local helper that uses cookies to control an account is coherent with the stated purpose.
!
Instruction Scope
The runtime instructions tell the user to export X cookies from Chrome into cookies.json and run a third‑party executable that listens on localhost. That requires handing full session credentials to a binary and does not include guidance for protecting or verifying those credentials. The SKILL.md also instructs running an arbitrary local service without integrity checks.
!
Install Mechanism
No formal install spec is provided, but the guide instructs downloading an executable from a GitHub Releases page and running it. There are no checksums, signatures, or instructions to verify the binary or inspect its source—this is a high-risk operation (running an opaque binary with account cookies).
Credentials
No env vars or config paths are declared, which is consistent with an approach that uses browser cookies. However, the requirement to export cookies.json is effectively requesting highly sensitive session credentials (equivalent to full access tokens). This is proportionate to the task technically, but the SKILL.md does not provide any safeguards or alternative (OAuth/API-key) options.
Persistence & Privilege
The skill does not request always: true or system-wide config changes; it is user-invocable and does not declare persistent privileges over other skills or agent settings.
What to consider before installing
This skill asks you to download and run an unsigned third-party executable and to export your X/Twitter session cookies—doing so hands that binary the ability to act as your account. Before installing: (1) prefer official OAuth/API-key based integrations over exporting cookies; (2) if you must use this, review the executable’s source code or use builds from a verified maintainer and verify checksums/signatures; (3) run the binary in an isolated environment (VM/container) and not on your primary machine; (4) treat cookies.json like a password—store it securely and delete/revoke the session after use; (5) consider alternatives or ask the author for a signed release and clear privacy/security documentation. The static scanner had no files to analyze (instruction-only), so the highest-risk surface here is the external binary and the exported browser cookies.

Like a lobster shell, security has layers — review code before you run it.

latestvk972e9210wya29qtys4eyt14gs828ax8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments