ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Niche Twitter

v1.0.0

Specialized Twitter/X research, content creation, and strategy for niche topics like WHL scouting, ClawHub AI, acreage dev, Saskatchewan housing, and indie h...

0· 40·0 current·0 all-time
by@skunnyo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the included files: search query generator, advanced-search reference, thread template and guidance. The requested capabilities (web_search, browser snapshots) are coherent for Twitter/X discovery and content generation.
!
Instruction Scope
SKILL.md instructs the agent to perform web_search and browser snapshots and to 'extract' follower/bio/engagement data (reasonable for research). However it also tells the agent to run `exec scripts/format-thread.py "[content]"` but no such script exists in the bundle — a clear inconsistency. The monitoring section mentions cron/notify but gives no destination or storage rules for scraped data, which is vague and could lead to broad data collection or unsanctioned notifications if the agent acts autonomously.
Install Mechanism
No install spec and only a small helper script are included. There is no external download or package install; attack surface from installation is low.
Credentials
The skill does not request environment variables, credentials, or config paths — proportional for a skill that scrapes public Twitter/X pages rather than using private APIs. Note: if later modified to use API access, credentials would be expected.
Persistence & Privilege
always is false and model invocation is allowed (default). The SKILL.md suggests 'autonomous monitoring via cron/web_search' but the skill does not include any mechanism to install cron jobs; this is a behavioral ambiguity rather than a direct privilege request. Autonomous invocation combined with the vague monitoring instructions increases potential for unwanted periodic data collection.
What to consider before installing
This skill mostly does what it says (search/query generation, templates, guidance). Before installing, ask the developer to: (1) explain or provide the missing scripts referenced in SKILL.md (scripts/format-thread.py is referenced but not included) so you can audit them; (2) clarify how monitoring/cron/notifications would work, where scraped data would be stored/sent, and get explicit opt-in for periodic runs; (3) confirm there are no hidden endpoints or external downloads the skill will use later; and (4) if you enable autonomous invocation, restrict it initially (or run manually) until you’ve reviewed behavior and logs. The current inconsistencies look like sloppy packaging rather than active malice, but they warrant caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk979xp9p5ps79w5gxq67mb4zr983vn8d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments