Security Audit

Twitter Command Center (Search + Post)

github.com/openclaw/skills

AI SkillCommit 5acc56773e07

TRUSTED

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

Twitter Command Center (Search + Post) received a trust score of 79/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Suspicious import: urllib.request, Direct Transmission of Twitter Credentials to Third-Party API.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 12, 2026 (commit 5acc5677). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Direct Transmission of Twitter Credentials to Third-Party API The skill's Python client (`scripts/twitter_client.py`) includes a `login` function that explicitly sends the user's Twitter account `email` and `password` directly to the `https://api.aisa.one` service. While this is the intended functionality for enabling 'write operations' (like posting tweets, liking, retweeting), it means the user is entrusting their primary Twitter login credentials to a third-party API provider (AIsa). This represents a significant security and trust consideration, as the security of the user's Twitter account then depends on the security practices of the AIsa service. For Skill Developer: Clearly document this trust model and the implications of providing Twitter credentials to AIsa in the skill's documentation. Consider if OAuth or token-based authentication (where AIsa never sees the raw password) is a viable alternative for future versions to enhance user security. For User: Understand the security implications of providing your Twitter email and password to a third-party service. Ensure you fully trust `aisa.one` with your credentials. Use a strong, unique password for your Twitter account and enable Two-Factor Authentication (2FA). Monitor your Twitter account for any unusual activity.	LLM	scripts/twitter_client.py:127
MEDIUM	Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/0xjordansg-yolo/openclaw-aisa-twitter-search-post/scripts/twitter_client.py:24

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/0019dfc5fe2947ad.svg)](https://skillshield.io/report/0019dfc5fe2947ad)