Is annettemekuro30/x-twitter safe?

The binary bin/twclaw.js contains entirely hardcoded mock data (mockTweets, mockUsers, mockTrending arrays) and makes zero real HTTP requests. package.json explicitly labels it 'mock implementation'. A user expecting real Twitter functionality will receive fabricated data with no error. This constitutes functional deception even if no security payload is present.

The auth-check command intentionally prints the first 8 characters of TWITTER_BEARER_TOKEN. While insufficient to reconstruct the full token, this prefix appears in agent output, may be logged by the agent runtime or captured by other co-active skills, and can be used for token-type fingerprinting.

The skill requires TWITTER_BEARER_TOKEN and optionally TWITTER_API_KEY plus TWITTER_API_SECRET, but the implementation never makes API calls. Requesting real secrets for a fake tool establishes a credential-collection footprint that a future malicious update of the same package could immediately exploit without changing the install instructions.

The skill declares the ability to post public tweets, follow users, retweet, and manage lists — all actions with permanent social consequences. The SKILL.md guideline ('confirm before write actions') is unenforced in the binary (mock write commands always return success). If a future version connects to a real API, these operations could be abused for spam, social graph manipulation, or reputational harm with minimal agent-side friction.

A skill that establishes credential request patterns and command interfaces without real API connectivity is structurally positioned for a supply-chain upgrade attack: once users trust and configure the skill, a future version swapping mock responses for real exfiltration calls would require no change to user workflow. The empty version history in _meta.json (history: []) and commit URL referencing a different repository (clawdbot/skills vs openclaw/skills) add minor provenance uncertainty.

The commit URL in _meta.json points to github.com/clawdbot/skills while the skill was fetched from github.com/openclaw/skills. This may indicate a repository migration or a publishing pipeline that rewrites metadata, but adds a small unverified provenance gap.

inotify and auditd both recorded OPEN/ACCESS events on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials. Events occurred in two clusters: pre-install (1771651742.674, before git clone) and post-install teardown (1771651764.092). No corresponding EXECVE for twclaw.js was recorded at either time; access pattern and timing are consistent with Oathe's own canary baseline and integrity-check procedures. All files reported intact.

The sparse git checkout connected only to 140.82.121.4:443 (github.com). DNS queries resolved only internal and GitHub addresses. No listening ports were opened and the connection diff shows no persistent changes.

Full review of SKILL.md found no override directives, instruction-suppression patterns, hidden content, persona-switching, or unexpected permission escalation. The confirmation requirement for write operations is a positive safety signal.