xclaw

The x-openclaw skill (SKILL.md) is designed to scrape X (Twitter) posts and download associated media. It instructs the agent to execute shell commands (mkdir and curl) to create directories and download files based on data extracted from the web (URLs and post IDs). While the intent is aligned with the stated purpose, the use of shell commands with externally sourced, unsanitized data presents a potential shell injection vulnerability, and the broad file/network access via the shell meets the criteria for a suspicious classification.