Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
No Cap
v1.0.0Automatically ingest X/Twitter bookmarks, filter noise, and extract actionable signals. Run to process new bookmarks into structured intelligence.
⭐ 0· 63·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (ingest X/Twitter bookmarks) is plausible, but the runtime steps assume a local repository with a TypeScript CLI (src/cli.ts) and use of npx/tsx. The published skill contains no code files, no repo, and declares no required binaries (node/npx). That mismatch means the skill cannot operate as described from the provided bundle alone.
Instruction Scope
Runtime instructions explicitly direct extraction of X session cookies from Chrome (auto-login) or manual copying of auth_token and ct0, reading and writing ~/.no-cap/config.json, and running CLI commands. Extracting browser session cookies and storing them locally is highly sensitive; the instructions do not provide secure handling or explain where/how code will run (there is no included code).
Install Mechanism
There is no install specification and no code files, yet the instructions expect you to run npx tsx against a local repoPath. The skill neither supplies the referenced repository nor declares Node/npx as required binaries. This is an incoherent install/runtime model — you would need to obtain code from elsewhere, which is not provided or verified here.
Credentials
The workflow requests sensitive credentials (X session cookies: auth_token and ct0) and optionally a Resend API key for email delivery. While these secrets are relevant to the skill's function, the bundle does not declare where they will be stored beyond a local config file, does not include code to inspect for leaks, and asks you to extract browser cookies — a high-risk operation if the code performing the extraction is not available for review.
Persistence & Privilege
The skill does not set always:true and does not claim system-wide privileges, but it instructs writing credentials to ~/.no-cap/config.json and setting permissions to 600. Storing session cookies locally is persistent and increases blast radius if the code is malicious; the behavior itself is explainable for this use case but should only be done after reviewing the implementation that will read those files.
Scan Findings in Context
[no-code-files] unexpected: The regex scanner found no code to analyze. That is inconsistent with SKILL.md, which repeatedly references src/cli.ts and running npx tsx — the skill expects code that isn't present in the bundle.
What to consider before installing
Do not follow the cookie-extraction steps or paste your auth_token/ct0 into anything until you have the actual source code and installation instructions. This published skill contains only runtime instructions but no code or install package — commands like `npx tsx src/cli.ts` reference files that are not included. Ask the publisher for the repository URL or a vetted release, review the code yourself (or have a trusted party review it), and prefer an OAuth/API-based integration rather than handing over browser session cookies. If you temporarily provide session cookies to any third-party tool, plan to revoke or rotate them immediately afterward. Finally, verify any tool requiring Node/npx/tsx on your system and avoid running unreviewed scripts as admin.Like a lobster shell, security has layers — review code before you run it.
latestvk97ftw5k3qz0g82557wbf7b7ks83s5jf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.