Is lpbaril/twinfold safe?

https://github.com/openclaw/skills/tree/main/skills/lpbaril/twinfold

90
SAFE

The lpbaril/twinfold skill is a transparent, well-structured API integration for the Twinfold social media management platform. No prompt injection, hidden executable code, covert exfiltration channels, or malicious clone-time behavior was detected. The skill's only outbound target is the declared twinfold.app API endpoint, and its credential requirement (TWINFOLD_API_KEY) is fully disclosed in metadata. The primary residual risk is inherent to the skill's purpose: it enables autonomous social media publishing via autoPublish and runAutopilot workflows, and the addKnowledge tool transmits user-supplied content to an external server — both are documented, expected behaviors that agent implementations should gate on explicit user confirmation.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (6)

LOW addKnowledge transmits content to external server -10

The addKnowledge tool sends user-supplied text to Twinfold's servers and stores it persistently in the Twin knowledge base. While this is documented intended behavior, it creates an outbound data channel. A poorly constrained agent could include sensitive conversation context (e.g., file contents, credentials mentioned in chat) when invoking this tool. The skill itself contains no instructions to do so covertly.

LOW autoPublish and runAutopilot enable fully autonomous posting -12

The createPost tool exposes autoPublish:true and runAutopilot triggers a full discover→create→publish pipeline without requiring explicit user confirmation at publish time. Workflow 8 ('Full Autonomous Pipeline') explicitly guides the agent to set autoPublish:true and post without human review. This is the intended use case but requires that agent implementations enforce user confirmation before executing.

LOW setBrandGuide silently overwrites account configuration -7

The setBrandGuide tool is free (no credits) and overwrites the user's global brand guide with arbitrary markdown. If an agent were manipulated via prompt injection from a separate source (e.g., a malicious document the user asked the agent to process), this tool could be used to persistently alter the brand identity applied to all future Twinfold content.

INFO External URL present in skill body -8

The skill references https://twinfold.app/api/mcp/tools as the sole API endpoint and https://twinfold.app in setup instructions. These are consistent with the skill's declared purpose and do not instruct the agent to fetch arbitrary remote content or exfiltrate data.

INFO TWINFOLD_API_KEY read from environment -8

The skill accesses TWINFOLD_API_KEY from the process environment. This is fully declared in the skill's openclaw metadata under requires.env. No attempt is made to access additional credentials beyond what is declared.

INFO Monorepo sparse-checkout install pattern -10

Install clones the full openclaw/skills monorepo with --depth 1 --no-checkout, performs sparse-checkout for the target subpath, copies files, and deletes the clone. This is an expected install pattern and introduces no security risk beyond the standard GitHub network connection.