by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Proceed with caution. The post.js script does perform browser automation and needs your Twitter username/password in a .env — only use these credentials if you absolutely trust the source and prefer browser-driven automation over OAuth/API tokens. The package advertises monitoring/reply/analysis features but the corresponding scripts are missing; this indicates the package is incomplete or poorly maintained. Before installing: (1) prefer OAuth/API tokens (twitter-api) or app-specific credentials...详细分析 ▾
⚠ 用途与能力
Name/description (Twitter automation) aligns with the provided post.js which uses puppeteer to log in and post. However package.json and SKILL.md list additional dependencies (playwright, twitter-api-v2, node-cron, OpenAI) and commands (monitor, reply, analyze) whose implementation files are missing. Registry metadata declares no required env vars while SKILL.md asks for TWITTER_USERNAME/PASSWORD/EMAIL and optional OPENAI_API_KEY. These mismatches suggest sloppy packaging or incomplete/changed code.
⚠ 指令范围
SKILL.md instructs installing several packages and storing account credentials in a .env; index.js enforces a .env file and spawns scripts. The post flow (post.js) reads TWITTER_USERNAME/PASSWORD/EMAIL via dotenv and automates browser login — coherent for browser-based automation. But SKILL.md promises monitoring, auto-reply and analysis features; index.js references monitor.js/auto-reply/analyze scripts that are not present in the bundle, so the instructions overpromise and the runtime behavior could differ if those files are added later.
ℹ 安装机制
There is no formal install spec; SKILL.md asks users to run npm install for listed packages. Dependencies are typical for browser automation (puppeteer, dotenv) though twitter-api-v2 and playwright are present but unused in the included code. No external URL downloads or archives are used. Installing heavy packages like puppeteer is expected but increases attack surface if packages are malicious or compromised.
⚠ 凭证需求
The skill requires direct Twitter credentials (username/password/email) per SKILL.md and post.js, but the registry metadata does not declare any required env vars — an incoherence. Requesting account credentials is proportionate to a puppeteer-based login approach but is sensitive: storing plaintext account passwords in .env and giving them to third-party code is risky. SKILL.md also asks for an OPENAI_API_KEY which is not used by the included scripts, another unexplained requested secret.
✓ 持久化与权限
always is false and disable-model-invocation is default; the skill does not request elevated platform privileges. It spawns child processes and launches a browser (puppeteer) which is expected for this functionality but increases local resource usage. The bundle does not attempt to modify other skills or system-wide agent settings.
⚠ index.js:85
Shell command execution detected (child_process).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/11
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install twitter-automation-suite
镜像加速npx clawhub@latest install twitter-automation-suite --registry https://cn.longxiaskill.com镜像同步中