Is 0xjordansg-yolo/openclaw-aisa-twitter-search-post safe?

https://github.com/openclaw/skills/tree/main/skills/0xjordansg-yolo/openclaw-aisa-twitter-search-post

79
CAUTION

This skill is a Twitter/X API wrapper that routes all operations through a third-party proxy service (api.aisa.one). While no malicious code, prompt injection, or hidden behaviors were detected, the credential proxy architecture means users must trust aisa.one with their Twitter login credentials (email and password). The skill also enables fully autonomous social media posting without built-in confirmation gates, creating risk of unintended or manipulated content publication.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 58/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 42/100 · 5%

Findings (8)

HIGH Twitter credentials proxied through third-party API -30

All Twitter operations, including login with email/password, are routed through api.aisa.one rather than directly to Twitter. This gives the third-party service full access to user credentials and the ability to impersonate users. The login endpoint (POST /twitter/user_login_v3) accepts plaintext email, password, and proxy URL, all of which are sent to aisa.one's servers.

MEDIUM Autonomous social media posting without confirmation gates -20

The skill enables an LLM agent to post tweets, like content, retweet, and update user profiles without any built-in confirmation or human-in-the-loop mechanisms. A malicious prompt injection in other context (e.g., a webpage the agent reads) could manipulate the agent into posting harmful content, spam, or leaked sensitive data.

MEDIUM API key enables full operation tracking by third party -12

Every API call includes the AISA_API_KEY as a Bearer token, allowing api.aisa.one to build a complete profile of user activity including search queries, monitored accounts, engagement patterns, and posted content. The usage tracking (cost and credits_remaining) confirms per-request logging by the service.

MEDIUM Profile modification endpoint enables account defacement -15

The update_profile_v3 endpoint allows changing a Twitter account's display name and bio. If the agent is compromised or manipulated, this could result in account defacement or impersonation.

LOW Autonomous engagement examples normalize unattended actions -8

The skill's example prompts frame fully autonomous social media engagement as standard behavior, without suggesting the agent should confirm with the user before taking irreversible actions like posting tweets or modifying profiles.

LOW Cross-skill data leakage risk via public tweets -10

If combined with skills that handle sensitive data (code, credentials, internal documents), the agent could be prompted to summarize or share information via public tweets, creating a data exfiltration channel that bypasses filesystem monitoring.

INFO Python client is clean and auditable -3

The twitter_client.py script uses only Python standard library modules (urllib, json, argparse, os, sys). No obfuscation, no eval/exec, no dynamic imports, no network calls outside the documented API. Code is well-structured and straightforward.

INFO Clean installation with no unexpected activity -5

Installation consisted of a standard sparse git checkout from GitHub. No connections to third-party services, no unexpected process spawning, no filesystem changes outside the skill directory.