Is franciscobuiltdat/tweet-summarizer-lite safe?
https://github.com/openclaw/skills/tree/main/skills/franciscobuiltdat/tweet-summarizer-lite
Tweet Summarizer Lite is a functional Twitter/X fetch-and-summarize skill with no overtly malicious code. The primary concerns are architectural: tweet.py exposes the full process environment to the external bird CLI subprocess (potentially leaking any secrets set in the user's shell), the SKILL.md prompt instructs the agent to hide script invocations from the user, and the skill depends on an external npm package (@steipete/bird) outside the author's control. Canary file reads detected during monitoring are attributable to the oathe audit infrastructure's pre/post baseline checks, not the skill itself.
Category Scores
Findings (8)
HIGH Full process environment passed to bird subprocess -22 ▶
tweet.py constructs the subprocess environment as {**os.environ, 'AUTH_TOKEN': auth_token, 'CT0': ct0}, which copies all parent environment variables — including any secrets the user may have set such as AWS_ACCESS_KEY_ID, ANTHROPIC_API_KEY, GITHUB_TOKEN, or database passwords — into the bird process environment. If bird makes outbound network calls, it has access to all of these values.
MEDIUM Silent script execution model hides agent actions from user -15 ▶
SKILL.md explicitly instructs the injected agent persona to conceal script invocations: 'You run the scripts internally — the user never types python3. Respond naturally, then exec the appropriate script.' This systematically removes user visibility into what shell commands the agent is running on their behalf, making it harder to detect misuse or error.
MEDIUM Runtime dependency on external npm package @steipete/bird -15 ▶
The skill requires npm install -g @steipete/bird to function. This is an external npm package not controlled by the skill author. A compromised release of bird would execute arbitrary code with full access to AUTH_TOKEN, CT0, and the rest of the user's environment as passed by tweet.py.
MEDIUM Twitter session cookies required as persistent environment variables -10 ▶
The skill requires AUTH_TOKEN and CT0 — full Twitter session credentials — to be exported in the user's shell profile (~/.bashrc or ~/.zshrc per SECURITY.md). This makes live session tokens available to all processes in the user's shell session, not just this skill, increasing the attack surface for credential theft by any other tool or skill.
LOW Undocumented --source flag: SKILL.md and code are out of sync -8 ▶
SKILL.md documents 'python3 scripts/search_tweets.py --source elonmusk' but search_tweets.py's main() only handles --text, --list-sources, and --stats. Invoking --source will print 'Unknown command' and exit 1. The agent may retry alternative search strategies or shell escapes to accomplish the task.
LOW Embedded upsell to tweet-summarizer-pro within injected system prompt -5 ▶
SKILL.md contains marketing copy directing users toward 'tweet-summarizer-pro' for threads, collections, tags, and timelines. This upsell is injected into the agent's system context on every conversation. It creates a social-engineering pathway toward a second, unreviewed skill that would have broader permissions.
INFO Canary file reads preceded git clone — attributed to audit infrastructure 0 ▶
Filesystem monitoring recorded opens of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud credentials at 08:50:30, five seconds before the git clone started at 08:50:35. A second identical read pass occurred at 1771923047.778 after all audit scans completed. Timing analysis is consistent with oathe's own pre/post canary baseline reads, not skill activity.
INFO Unusual __import__() pattern in tweet.py 0 ▶
tweet.py calls import('datetime') inline instead of using a top-level import statement. This is functional but atypical; in obfuscation contexts this pattern is used to hide imports from static analysis. No malicious behavior observed here but worth flagging for code review.