Skill Trust Decision

tweet-monitor-pro

Name: tweet-monitor-pro Trust Review Report
Item: tweet-monitor-pro
Rating: 35
Author: ClawSafe

Tweet Monitor Pro 存在多处文档-行为差异：未声明的 shell 执行能力、依赖外部引用脚本、声称零依赖但实际存在隐藏依赖关系。

Install decision first Source: ClawHub Scanned: Apr 19, 2026

Files 5

Artifacts 2

Violations 2

Findings 4

Most direct threat evidence

用户安装tweet-monitor-pro技能 Entry · SKILL.md

技能调用execSync执行外部Python脚本 Escalation · index.js

外部脚本被替换为恶意代码时导致RCE Impact · /root/.openclaw/workspace/skills/x-tweet-fetcher/scripts/fetch_tweet.py

Why this conclusion was reached

2/4 dimensions flagged

Block

Declared vs actual capability

2 undeclared or violating capabilities were inferred.

Review

Hidden execution and egress

2 lower-risk artifacts were extracted and still need context.

Block

Attack chain and severe findings

The report includes 3 attack-chain steps and 2 severe findings.

Review

Dependencies and supply chain hygiene

Dependency information is incomplete, so supply-chain confidence stays limited.

Attack Chain

用户安装tweet-monitor-pro技能

Entry · SKILL.md:1

技能调用execSync执行外部Python脚本

Escalation · index.js:97

外部脚本被替换为恶意代码时导致RCE

Impact · /root/.openclaw/workspace/skills/x-tweet-fetcher/scripts/fetch_tweet.py:1

What drove the risk score up

未声明的shell执行 +25

SKILL.md未声明execSync使用，但代码第97-107行通过execSync执行python3命令

外部脚本依赖未声明 +20

代码引用/root/.openclaw/workspace/skills/x-tweet-fetcher/scripts/fetch_tweet.py，该脚本不在技能包内

文档-行为差异 +15

SKILL.md声称'Zero-dependency basics'但实际依赖外部Python脚本

硬编码绝对路径 +10

第98行硬编码/root/.openclaw/workspace/skills/x-tweet-fetcher/scripts/fetch_tweet.py路径

本地配额文件写入 +5

通过fs.writeFileSync写入quotas.json，未在文档中明确声明

Most important evidence

High Doc Mismatch

文档声称零依赖但实际存在外部脚本依赖

SKILL.md Features部分声称'Zero-dependency basics: Fetch single tweets without Camofox'，但index.js通过execSync依赖位于/root/.openclaw/workspace/skills/x-tweet-fetcher/scripts/fetch_tweet.py的外部Python脚本。这构成阴影功能。

index.js:98

将Python脚本内容内联到技能包内，或使用Node.js原生fetch替代execSync调用

High Priv Escalation

未声明的shell执行能力

代码多处使用execSync执行python3命令（fetchTweet、fetchTimeline、monitorUser函数），这是shell:WRITE级别的操作，但SKILL.md和manifest.json均未声明此权限。

index.js:97

在SKILL.md的Tools部分添加shell执行声明，或重构代码使用HTTP API调用替代subprocess

Medium Supply Chain

外部脚本引用存在供应链风险

代码硬编码引用外部路径/root/.openclaw/workspace/skills/x-tweet-fetcher/scripts/fetch_tweet.py，该脚本不在技能包内。如果该脚本被恶意替换或修改，将导致任意代码执行。

index.js:98

避免硬编码路径，使用相对路径或技能内嵌脚本

Low Sensitive Access

本地配额数据库读写

代码读写本地quotas.json文件存储用户配额信息，虽然这是商业功能所需，但未在文档中明确声明文件系统WRITE权限。

index.js:22

在文档中补充配额存储机制说明

Declared capability vs actual capability

Shell Block

Declared NONE

→

Inferred WRITE

index.js:97-107 execSync调用

Filesystem Block

Declared NONE

→

Inferred WRITE

index.js:22-26 fs.writeFileSync写入quotas.json

Network Pass

Declared READ

→

Inferred READ

SKILL.md声明使用FxTwitter端点

Suspicious artifacts and egress

Medium External URL

https://x.com/user/status/123456

README.md:54

Medium External URL

https://skillpay.me

README.md:97

Dependencies and supply chain

There are no structured dependency warnings.

File composition

5 files · 665 lines

JavaScript 1 files · 340 linesMarkdown 2 files · 286 linesJSON 2 files · 39 lines

Files of concern · 2

index.js JavaScript · 340 lines

文档声称零依赖但实际存在外部脚本依赖 · 未声明的shell执行能力 · 外部脚本引用存在供应链风险 · 本地配额数据库读写

README.md Markdown · 143 lines

https://x.com/user/status/123456 · https://skillpay.me

Other files · SKILL.md · manifest.json · quotas.json

Security positives

配额管理系统实现完整，支持多级别订阅计划

错误处理较为完善，有用户友好的错误信息

支持商业化集成（SkillPay.me）