Auto-mirror Twitter/X content to Binance Square. Monitors specified Twitter accounts or topics, fetches new tweets, transforms content, and posts to Binance...
Security Analysis
medium confidenceThe skill's stated purpose (mirroring X/Twitter to Binance Square) matches the code and instructions, but there are incoherences and third‑party dependencies (notably an undocumented '6551' API) and the registry metadata omits required credentials — review before use.
The skill's name/description (mirror tweets to Binance Square) aligns with the included script and SKILL.md which fetch tweets and post to Binance Square. However the registry metadata lists no required environment variables while both SKILL.md and the code require TWITTER_TOKEN and SQUARE_API_KEY — this metadata omission is an inconsistency you should verify with the author.
Runtime instructions and the script instruct HTTP POSTs to two external endpoints: ai.6551.io (for fetching tweets) and binance.com (for posting). The use of a third‑party API host (ai.6551.io / 6551.io) instead of the official Twitter API is unexpected and requires trust in that service because it will receive any token you supply and all requested tweet data. The script reads/writes a local state file (mirror_state.json) to record posted tweet IDs — expected for deduplication. No other unrelated file system or credential access is instructed.
There is no install spec (instruction-only) but the package includes a Python script that will be executed; no external installers or archive downloads are used. Because the code is bundled with the skill, installing/running it will write files (state file) and make network calls — review the included scripts before running.
The SKILL.md and code require two credentials (TWITTER_TOKEN for the 6551 API and SQUARE_API_KEY for Binance Square). Those credentials are proportionate to the task, but the TWITTER_TOKEN is explicitly tied to a third‑party service (6551.io) rather than an official Twitter API token; handing a token to an unfamiliar service may allow that service access to your account data. Also the skill manifest declared no required env vars — an inconsistency that reduces transparency.
The skill is not force‑included (always:false) and does not request elevated agent privileges. It creates a local state file (mirror_state.json) to track posted tweet IDs — expected behavior for deduplication. Autonomous invocation is enabled by default but not unusual for a skill of this type.
Guidance
Before installing or running this skill: 1) Verify the author/source — registry metadata omits the required env vars (TWITTER_TOKEN, SQUARE_API_KEY); ask the publisher to explain the mismatch. 2) Investigate the 6551 service (ai.6551.io / 6551.io). The skill directs your Twitter access token to that third party rather than the official Twitter API — only provide a token if you trust how that service will store/use it. 3) Check Binance API key scope — use a key with the minimum privileges required and consider a dedicated test account. 4) Review the included scripts locally (scripts/auto_mirror.py) before running; run first with --dry-run/--once in an isolated environment to confirm behavior. 5) If you prefer stronger control, modify the script to call an API you control or the official Twitter API, or remove/replace the 6551 endpoints. 6) Consider running in a container or sandbox and monitor outbound network traffic to confirm only the expected endpoints (ai.6551.io and binance.com) are contacted.
Latest Release
v0.1.0
Initial release of the Twitter to Binance Square Auto-Mirror Skill. - Automatically fetches and transforms tweets from specified Twitter accounts, hashtags, or keywords. - Posts transformed tweets to Binance Square, with support for deduplication and configurable intervals. - Provides robust content transformation (translation, hashtag management, tool/source attribution). - Includes a flexible JSON configuration schema and state file for managing posted tweets. - Supports command-based invocation for easy automation.
More by @infra403
Published by @infra403 on ClawHub
