ClawHub

OpenClaw Social Post

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a disclosed social-posting tool, but it includes live-account side effects and anti-spam evasion behavior that users should review carefully before installing.

Install only if you are comfortable giving this skill live X/Twitter and Farcaster posting authority. Test with isolated accounts, review the hard-coded paths, avoid sensitive images or private URLs, and do not rely on --dry-run for Twitter tier detection until that live POST behavior is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (34)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation indicates access to environment variables, local credential files, shell utilities, and networked services, but it does not declare any explicit permission model to constrain those capabilities. That increases the chance of overbroad execution and makes credential access, file reads/writes, and external transmission less transparent to users and reviewers.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior extends beyond simple social posting into wallet balance inspection, third-party anonymous hosting, and URL shortening through outside services. These undeclared side behaviors create privacy, cost, and data-exfiltration risk because user content, metadata, and financial/account information may be transmitted to services users did not reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The changelog explicitly advertises `--vary` as a way to avoid or bypass Twitter/X duplicate-content detection, including guaranteed visible mutation and repeated attempts until platform checks are evaded. In the context of a posting automation skill, this is not a neutral formatting aid; it is a built-in anti-abuse evasion feature that can facilitate spam campaigns, coordinated inauthentic posting, and circumvention of platform safety controls.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The README materially misrepresents X/Twitter pricing and tier behavior by stating there are no subscription tiers, while the skill metadata says it performs dynamic Basic/Premium tier detection. For a skill that can trigger paid API actions, inaccurate billing and capability documentation can cause users to make unsafe assumptions about cost, feature availability, and posting behavior.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The image-posting path uploads arbitrary local files to unrelated third-party anonymous hosting services (catbox.moe, uguu.se) before posting to Farcaster. That creates an external data exfiltration path outside the stated Farcaster API interaction and exposes user-supplied local content to services with unknown retention, access controls, and privacy guarantees.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill sends and transforms user post content through a third-party URL shortener, but this behavior is not disclosed in the manifest. In a social-posting skill, links may contain sensitive tracking parameters, private preview URLs, or campaign data, so silently forwarding them to TinyURL creates an avoidable privacy and integrity risk and changes user content in a way callers may not expect.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The comment says the code will perform a dry run, but it actually sends a real POST request to Twitter's tweet-creation endpoint using live OAuth credentials. In this skill context, that can cause unintended posting, account activity, API spend, and side effects on a real social account just from tier detection, which is significantly more dangerous because the skill is explicitly designed to operate production social accounts.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill sources credentials from a fixed local file outside the skill boundary, giving it access to secrets that are not explicitly passed in for the posting action. In an agent setting this expands the trust boundary and can enable unauthorized account use or accidental cross-account posting if the skill is invoked unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
This library is explicitly designed to mutate post text to avoid duplicate-content detection, which is an anti-abuse safeguard used by social platforms to limit spam and coordinated inauthentic behavior. In the context of a social posting skill, this is not a neutral formatting helper: it operationalizes evasion by adding randomized punctuation, emojis, spacing, and wording changes until the content differs enough to bypass detection.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script reads from a centralized user .env file outside the skill directory to obtain a wallet-related value, which expands the skill's access beyond its stated social posting purpose. Even though it only extracts an address here, this pattern grants the skill visibility into a shared credential store and creates a path for unintended secret exposure or later abuse.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This skill includes blockchain wallet balance monitoring and funding prompts that are outside the declared scope of posting to X/Twitter and Farcaster. Scope expansion matters because users may grant trust based on the manifest, while the code introduces financial-account visibility and nudges users toward transferring funds.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script sources credentials from a hard-coded local path (/home/phan_harry/.openclaw/.env) rather than using a documented, user-supplied, or runtime-injected secret source. This creates hidden credential access behavior tied to a specific workstation layout, increases the blast radius if the skill is reused on another machine, and is not necessary for a generic reply skill to function safely.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
This section directly describes the feature as intended to bypass Twitter anti-spam duplicate-content protections, which is a strong indicator of abuse-enabling functionality rather than ordinary social posting support. A skill that helps users systematically evade platform enforcement materially increases the likelihood of misuse for spam, sockpuppet amplification, or ban avoidance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quick-start commands prominently show live posting and replying, but do not clearly warn that non-dry-run invocations will publish publicly and may incur charges. In a social-posting skill, this creates a real risk of accidental public actions, reputational damage, and unexpected spending by users who treat examples as safe to try.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README states that Farcaster images are uploaded to catbox.moe but does not explain the privacy, retention, or third-party data handling implications. Users may unknowingly send sensitive or private images to an external public hosting service, creating confidentiality and compliance risks.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The documented default behavior allows posting to both platforms simultaneously, which broadens the action scope if the user omits target flags or an agent invokes the skill ambiguously. In an automation context, that can lead to unintended public posting across multiple accounts and services, increasing reputational and privacy impact.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill states that Farcaster images are uploaded to Imgur for public URLs, but it does not clearly and prominently warn that this sends user-provided images to a public third-party host. That can expose sensitive or private media and associated metadata outside the intended posting platform.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code transmits local file contents to external services via curl without any explicit user warning or consent at the point of disclosure. In an agent skill context, users may believe they are only posting to Farcaster, while the implementation silently sends the file to separate infrastructure, increasing privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The function submits user-provided URLs to TinyURL over plain HTTP, exposing the full URL to TinyURL and to any network observer or intermediary. Because this skill is specifically designed to publish social content, the URLs may reveal unpublished content, tokens, campaign parameters, or internal resources, making the undisclosed third-party transmission more dangerous in context.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script implicitly sources a local .env file containing secrets without any validation, disclosure, or least-privilege boundary. In an agent skill, hidden credential loading is risky because it couples execution to ambient local secrets and can cause actions to run under privileged accounts the caller did not explicitly authorize.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script makes outbound calls to Twitter/X, including an account-modifying POST path, without any user-facing disclosure or confirmation. In a social-posting skill, silent network activity is more sensitive because users may expect analysis or validation but instead trigger real external API actions and billable requests.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The library silently loads sensitive credentials from a local .env file without any user-visible disclosure or consent boundary. In an agent workflow, hidden secret access can surprise users and makes it harder to reason about what authority the skill is exercising.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script silently loads a fixed .env file and then consumes multiple API secrets without any explicit user-facing disclosure at execution time. Hidden secret loading is risky in an agent skill because operators may not realize local credentials are being accessed, especially when the rest of the script appears to only perform social replies.

Ssd 4

Medium
Confidence
97% confidence
Finding
The feature is framed around incremental text mutation specifically to evade platform anti-spam controls, with examples like emoji injection, punctuation changes, and synonym swaps. That context makes the capability dangerous because it operationalizes low-effort content laundering across accounts while preserving message intent, a common pattern in spam and coordinated manipulation.

External Transmission

Medium
Category
Data Exfiltration
Content
echo "Checking balances on Base..."
echo ""

ETH_BALANCE_WEI=$(curl -s -X POST "$BASE_RPC" \
  -H "Content-Type: application/json" \
  -d "{\"jsonrpc\":\"2.0\",\"method\":\"eth_getBalance\",\"params\":[\"$CUSTODY_ADDRESS\",\"latest\"],\"id\":1}" \
  | jq -r '.result')
Confidence
82% confidence
Finding
curl -s -X POST "$BASE_RPC" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal