Is arubiku/mia-twitter-stealth safe?
https://github.com/openclaw/skills/tree/main/skills/arubiku/mia-twitter-stealth
The mia-twitter-stealth skill is clean at the package level — it contains only documentation with no executable code, no prompt injection attempts, and canary files remain intact. However, the skill is explicitly designed to evade Twitter/X platform security systems to enable automated bot activity, violating platform Terms of Service and providing infrastructure for disinformation or coordinated inauthentic behavior campaigns. The credential exposure surface (X_AUTH_TOKEN and X_CT0 in env context) creates meaningful risk when the skill is active alongside network-capable tools.
Category Scores
Findings (8)
HIGH Designed for Platform Security Evasion -50 ▶
The skill's advertised core feature is defeating Twitter/X bot detection: it explicitly hides navigator.webdriver, masks Chrome automation signatures, and spoofs browser fingerprints. This is not a side effect — it is the primary value proposition. The skill is deceptive by design and violates Twitter/X Terms of Service on its face.
HIGH Enables Coordinated Inauthentic Behavior at Scale -28 ▶
The skill provides automated mass liking, following, and tweeting with stealth features. Distributed rate limits (5/hour, 50/day) are calibrated to stay below per-account thresholds while allowing sustained coordinated activity across multiple accounts. This is a standard template for disinformation, astroturfing, and influence operations.
HIGH High-Value Twitter Session Token Credential Exposure -25 ▶
The skill requires X_AUTH_TOKEN and X_CT0 — Twitter/X session tokens granting full account access — as environment variables. When an LLM agent reads these to invoke mia-twitter, the tokens enter the model's context window. Any subsequent tool call (HTTP request, file write, eval) made by the agent or a co-active skill can silently exfiltrate them. The skill provides no credential scoping or sandboxing guidance.
MEDIUM Headful Browser with Persistent Session Accesses Full User Profile -15 ▶
The skill uses headful Chromium with a persistent user data directory, cookie storage, and localStorage. This means it operates inside the user's actual browser profile rather than an isolated context, potentially reading cookies and storage from other logged-in services beyond Twitter.
MEDIUM Credential Files Accessed During Monitoring Window -13 ▶
Multiple sensitive credential files were opened during the audit period (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud application_default_credentials.json). The access pattern — clustered at two points matching known audit infrastructure scan intervals — is consistent with pre/post canary scanning rather than skill-induced access. However, the pattern is documented as a risk signal.
LOW Automation Transparency Risk -15 ▶
While no injection techniques were found in SKILL.md, the skill's stealth framing may cause an LLM agent to take actions (posting, liking, following) without surfacing them clearly to the user, since the skill's purpose is to appear non-automated.
LOW openclaw-gateway Outbound Connections to AWS IPs -16 ▶
The post-installation connection snapshot shows openclaw-gatewa (pid=1089) with established connections to 44.214.208.192:443 and 54.211.197.216:443 (both AWS IP space) and local listeners on 18790/18793. These are consistent with pre-existing audit infrastructure and not attributable to the skill, but are documented for completeness.
LOW Canary Files Intact; Access Events Noted -22 ▶
All honeypot files passed integrity checks — no content was modified or exfiltrated. Credential file access syscalls were present but match the audit system's own scanning pattern. No skill-attributed canary compromise was detected.