Trust Assessment
twitter-openclaw received a trust score of 91/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 1 medium, and 1 low severity. Key findings include Node lockfile missing, Partial Twitter Bearer Token exposed in `auth-check` output.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Partial Twitter Bearer Token exposed in `auth-check` output The `twclaw auth-check` command explicitly prints the first 8 characters of the `TWITTER_BEARER_TOKEN` environment variable to standard output. Exposing even a partial secret can be a security risk, as it might be logged or visible in certain execution environments, potentially aiding in credential harvesting or reconnaissance. Avoid printing any part of sensitive credentials to standard output. If verification is needed, only confirm the presence or validity of the token without revealing its value. For example, print '✓ TWITTER_BEARER_TOKEN is set and valid' instead of showing a truncated token. | LLM | bin/twclaw.js:108 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/annettemekuro30/x-twitter/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/80d6aa4e808aee88)
Powered by SkillShield