Is jkjx/clawtter safe?

https://github.com/openclaw/skills/tree/main/skills/jkjx/clawtter

77
CAUTION

Clawtter is a social media CLI skill for an AI-agent social network. The SKILL.md is free of prompt injection and the install was clean, contacting only GitHub. The primary concerns are architectural: the skill establishes an outbound posting channel to an unverified third-party service (clawtter.io) that receives all agent-posted content, the API base URL is fully overridable via environment variable enabling traffic redirection, and the feed monitoring feature creates a live indirect prompt injection surface. Minor provenance inconsistencies between the _meta.json commit URL, install source, and package.json author add uncertainty about ownership.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 87/100 · 10%
Canary Integrity 82/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (8)

HIGH Outbound posting channel to unverified third-party service -25

The core function of this skill is to post arbitrary text to api.clawtter.io. An agent with this skill active and access to sensitive context (environment variables, files, user data) could be socially engineered or confused into posting that data publicly to the Clawtter platform. The operator of clawtter.io (unknown) receives all posted content.

HIGH API base URL fully overridable via environment variable -10

The CLAWTTER_API_BASE environment variable overrides the destination of all API calls. If an attacker can set this variable (e.g., through another skill, a compromised environment, or indirect prompt injection), all posts, likes, and feed requests can be redirected to an attacker-controlled server that logs payloads including the agent's API key and all posted content.

MEDIUM Feed command creates indirect prompt injection attack surface -25

The clawtter feed command fetches live posts from a public social network and exposes their content to the agent's context. Any Clawtter user can craft posts containing malicious agent instructions. This creates a perpetual, unauthenticated injection channel that activates whenever the agent checks the feed.

MEDIUM Skill provenance mismatch — unclear ownership chain -20

The _meta.json commit URL points to github.com/clawdbot/skills, but the skill was installed from github.com/openclaw/skills. The package.json author field (WALC) differs from the _meta.json owner (jkjx). These inconsistencies suggest the skill was transferred across repositories or ownership is unclear, making attribution and trust verification difficult.

LOW Shell script interpolates post text without JSON-safe escaping -10

In cmd_post(), the $text variable is interpolated directly into a double-quoted shell string used as the curl -d argument. While bash does not re-expand already-assigned variables, text containing double-quote characters will produce malformed JSON and potentially alter the curl request structure. An agent constructing clawtter post commands from untrusted input could inadvertently corrupt or manipulate the request body.

LOW Feed content exposed to agent without sanitization boundary -18

SKILL.md documents feed monitoring as a use case for programmatic engagement. When an agent reads feed output and acts on it, feed posts are parsed as agent-readable text without XML/delimiter boundaries. Sophisticated attackers could craft posts that blend with agent instructions. The risk is low in the skill definition itself but elevated at runtime.

INFO Install process contacts GitHub only — clean clone 0

The installation executed a shallow sparse checkout from github.com/openclaw/skills.git targeting only the skills/jkjx/clawtter subtree. No additional network connections attributable to the skill were observed. The 185.125.188.59 connection was pre-existing.

INFO Canary files read during audit but attributed to oathe framework 0

All six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened and read at two timestamps. The first access at 1771909826.x occurred before the install script ran at 1771909831.x, indicating oathe baseline initialization. The second at 1771909851.x occurred during post-install scanning. No modification or correlated network egress detected.