ClawAudit verdict

twitter-agent-skill

twitter-api

88
🟢 Trusted
Low risk — reviewed by ClawAudit, behavior matches stated purpose

The skill provides a cookie-based Twitter/X automation toolkit, with clear documentation of its usage and no suspicious behavior detected.

⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.

Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.

58
security
90
transparency
70
maintenance

Findings (5)

Pattern match high

Possible hardcoded credential

twitter_api/demo_langchain_tools.py · prose · downgraded · TOKEN = "f06ec149475390a01262510a1cc1b59c9760a318

Pattern match medium

Long base64 string (100+ chars) — likely obfuscated payload

twitter_api/demo_langchain_tools.py · prose · downgraded · 37318663228df008399ba56501e3512d4b1b1d30eb852fc958561da0888027014e91199162dbc93f

Pattern match low

Python os.environ.get — reads environment variable

scripts/fetch_notifications.py · prose · downgraded · os.environ.get(

Pattern match low

Python aiohttp session — async network access

twitter_api/api/profile.py · prose · downgraded · aiohttp.ClientSession

Pattern match low

Base64 encoding/decoding

twitter_api/utils/helpers.py · prose · downgraded · Base64-encode

Permissions & capabilities

Requires 2 system binaries. (1 elevated: git).

Is this flag fair?

Check another skill Browse the registry Auditing your own skills or configs? Use the API