Is daydreamnationtechlabs/clawpost safe?

https://github.com/openclaw/skills/tree/main/skills/daydreamnationtechlabs/clawpost

72
CAUTION

This skill provides Twitter posting functionality through an external service but contains a critical security flaw with an exposed API key and requires installing an external browser extension. While the core functionality appears legitimate, the hardcoded credentials and external dependencies create significant security risks.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 50/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (4)

HIGH Hardcoded API Key Exposure -40

The skill contains a hardcoded API key 'claw_00befabe022666a86f18effea768fd40531b5c132ade52d3' in plain text. This exposes credentials that could be misused by malicious actors and creates shared authentication risks across all users of this skill.

MEDIUM External Browser Extension Requirement -15

The skill requires users to install a Chrome extension from an external source (clawpost.net), which increases the attack surface and introduces additional security dependencies.

MEDIUM External Service Data Transmission -10

Tweet content is transmitted to an external service (claw-post-api-ukpr57vsgq-uc.a.run.app) which could potentially log, store, or misuse the data.

LOW External Service References -10

The skill requires users to interact with external websites (clawpost.net) which could potentially be compromised or serve malicious content.