ClawHub

twitter

Security checks across malware telemetry and agentic risk

Overview

This is a real Twitter/X automation skill, but it needs Review because it can publish or engage from an account and forwards raw login credentials to a third-party API without enough disclosure or consent controls.

Install only if you trust the SkillBoss/api.aisa.one provider with the connected X account and any proxy credentials. Prefer a dedicated low-risk account, avoid sharing a primary password where possible, and require human approval before login, posting, liking, retweeting, or profile changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest and top-level description understate the scope of behavior by omitting login, profile changes, engagement actions, follower/following enumeration, and user/trend discovery. Security reviewers may approve the skill for limited posting/search use while unknowingly exposing users to broader surveillance and account-manipulation features.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Profile modification is a sensitive account-changing action that is not justified by the stated purpose of search, listening, and posting/replying. In an agentic context, undocumented profile editing increases the risk of reputational harm, impersonation, or unauthorized branding changes on the user's account.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The advertised capability is search/extract and publish tweets/replies, but the implementation also supports account login plus engagement actions such as like and retweet. This expands the skill's authority beyond the stated purpose, increasing the risk of undisclosed account manipulation and making it easier for an agent or operator to perform actions the user did not reasonably expect.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill collects highly sensitive credentials including Twitter username, email, password, optional TOTP code, and proxy details, which is broader than necessary for the described social-listening use case. In this context, collecting full login material enables full account takeover risk if mishandled, logged, intercepted, or reused by the remote service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly advertises write-capable actions such as posting tweets, likes, and retweets, but it does not warn users that these operations can create public content or trigger account engagement side effects. In an autonomous-agent context, this omission is risky because users may enable the skill without understanding that it can perform irreversible or reputation-affecting actions on their behalf.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The skill is framed for autonomous-agent operation without clear user opt-in language for sensitive actions like posting, liking, retweeting, and login. In an agent context, this increases the chance of unintended external actions occurring without meaningful human review.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation warns about posting risk but fails to warn that Twitter credentials, email, password, and proxy details are submitted to a third-party service. This is dangerous because users may unknowingly hand over highly sensitive authentication material to an external broker, creating credential theft, account takeover, and privacy risks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The login flow sends account credentials, 2FA material, and proxy information to a third-party API endpoint without any user-facing disclosure in the CLI about this sensitive transmission. Because this skill is an agent-facing automation tool, that lack of transparency materially increases the chance users or orchestrators unknowingly exfiltrate credentials to an external service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal