Is chaimengphp/openclaw-aisa-twitter-search safe?

https://github.com/openclaw/skills/tree/main/skills/chaimengphp/openclaw-aisa-twitter-search

79
CAUTION

The openclaw-aisa-twitter-search skill is a Twitter API proxy wrapper that routes all operations — including authentication credentials — through a commercial third-party service (api.aisa.one). The skill code itself is clean with no hidden malware, prompt injection vectors, or install-time execution. The primary risk is architectural: the login command transmits plaintext Twitter passwords to aisa.one, the third party gains persistent account access, and all social graph queries are logged by an external provider. Combined with the skill's autonomous like/retweet/post capability, this creates meaningful account security, privacy, and social manipulation risks that users should consciously accept before installation.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 52/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (7)

HIGH Twitter credentials transmitted to third-party api.aisa.one -30

The login command in both the curl examples and Python client sends Twitter username, email, and plaintext password to api.aisa.one. This is a commercial third-party service outside user control. The credential exposure is architectural — it is the intended design of the aisa.one proxy model — but represents a material account security risk for any user whose agent invokes the login flow.

HIGH Persistent Twitter session stored at third-party; agent can post/like/retweet autonomously -25

After login, aisa.one holds the Twitter session server-side. All subsequent write operations reference only the stored username. An agent can post, like, and retweet without re-authentication. This enables social media manipulation if the agent is compromised via prompt injection from external content (e.g., a malicious tweet the agent reads).

MEDIUM All Twitter social graph queries logged by third-party proxy -15

Every API call routes through api.aisa.one. Follower lists, following lists, user profile lookups, and search queries are all visible to the third-party provider. Users querying competitor intelligence or monitoring specific accounts create a surveillance record at aisa.one.

MEDIUM Autonomous social engagement encourages ToS-violating bulk actions -15

The skill's example prompts explicitly suggest bulk like/retweet automation. This pattern could trigger Twitter account suspension and, if driven by agent misinterpretation, could cause reputational harm to the user.

LOW Canary files read during monitoring window — not attributed to skill code -3

Six sensitive canary files were accessed at 10:24:25 (6 seconds before git clone) and again post-install. File contents were confirmed intact. The Python skill code contains no logic to read filesystem paths. The pre-install accesses are consistent with oathe audit framework baseline setup; post-install accesses consistent with post-install integrity verification.

LOW Automated engagement examples may prime agent toward bulk actions without confirmation -10

SKILL.md examples normalize autonomous like/retweet behavior. When loaded into an agent system prompt, these examples shape the agent's interpretation of ambiguous user requests toward bulk social actions.

INFO Python script uses stdlib only; no install hooks, submodules, or remote code execution -15

twitter_client.py is a clean CLI wrapper with standard library imports only. No package.json install scripts, no git hooks, no submodules, no eval/exec, no subprocess calls. Skill code is safe to install.