Is tweet-writer safe?

https://clawhub.ai/sanky369/tweet-writer

82
SAFE

The tweet-writer skill is a text-only instructional knowledge base containing copywriting frameworks, tweet templates, and X algorithm optimization advice. It contains no executable code, no data exfiltration vectors, and no malicious payloads. The primary concerns are minor: directive language that mandates web searches during use (expanding agent activity surface) and references to companion skills that could encourage installing unvetted packages. Clone monitoring showed clean behavior with no network activity or canary tampering.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (6)

LOW Directive agent behavior shaping -10

The skill uses imperative language ('you MUST research', 'Before writing ANY tweet, you MUST') that shapes agent behavior into a mandatory multi-step workflow including web searches. While this stays within the skill's declared purpose, the forceful directives expand agent activity beyond simple text generation.

LOW Mandatory WebSearch invocation pattern -10

The skill instructs the agent to perform web searches with specific query templates including site-scoped searches on twitter.com/x.com. This is legitimate for the skill's purpose but expands the agent's web activity and could expose user topic interests through search queries.

INFO External URL references in documentation -8

The skill references several external URLs (SocialBee, Typefully, Buffer, Metricool, etc.) in a 'Research Sources' section. These appear to be documentation references rather than fetch targets, but could be modified in future versions to direct agent fetching.

INFO Cross-skill installation encouragement -15

The 'Integration with Other Skills' section names four companion skills (Brand Voice, Direct Response Copy, Content Atomizer, SEO Content), which could serve as social engineering to encourage installing additional unvetted skills.

INFO Standard platform file reads during install -15

The install process read .env, .aws/credentials, .profile, .bashrc, and openclaw configuration files. These are consistent with the openclaw platform's standard initialization and not attributable to the skill itself.

INFO Persuasion framework content is ethically neutral but noteworthy -20

The skill teaches persuasion techniques (PAS, AIDA, curiosity gaps, controversy-driven engagement) that are standard copywriting education. These are not security risks but are worth noting as the agent will generate content designed to be psychologically persuasive.