ClawHub

TwitterShots

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Twitter/X screenshot helper that uses a disclosed TwitterShots API key and network request to generate images.

Install only if you trust TwitterShots with the tweet URLs or IDs, rendering options, and API key used for screenshot requests. Use a dedicated, rotatable API key and be cautious with return-url mode because generated results may be hosted by the provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill requires access to environment variables and makes outbound network requests, yet does not declare those capabilities explicitly. This can mislead reviewers and users about what the skill can access, reducing transparency and weakening permission-based safety controls.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The skill transmits tweet identifiers and optional rendering parameters to a third-party service without clearly warning the user that their input will be sent off-platform. Even if tweet IDs are often public, parameters may reveal user preferences or intended usage, and users should be informed before external disclosure.

External Transmission

Medium
Category
Data Exfiltration
Content
## API Request

**Endpoint:** `GET https://api.twittershots.com/api/v1/screenshot/:statusId`

**Required Header:**
```
Confidence
86% confidence
Finding
https://api.twittershots.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### Get URL Instead of Buffer

```bash
curl -X GET "https://api.twittershots.com/api/v1/screenshot/1617979122625712128?returnType=url&format=svg" \
  -H "X-API-KEY: YOUR_API_KEY"
```
Confidence
84% confidence
Finding
https://api.twittershots.com/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Gradient background
curl -X GET "https://api.twittershots.com/api/v1/screenshot/1617979122625712128?format=png&containerBackground=linear-gradient(90deg,%23003f5b,%232b4b7d,%235f5195)" \
  -H "X-API-KEY: YOUR_API_KEY" \
  -H "Accept: image/png" \
  -o tweet-gradient.png
Confidence
90% confidence
Finding
https://api.twittershots.com/

External Transmission

Medium
Category
Data Exfiltration
Content
params["backgroundImage"] = background_image
    
    response = requests.get(
        f"https://api.twittershots.com/api/v1/screenshot/{tweet_id}",
        headers={
            "X-API-KEY": api_key,
            "Accept": f"image/{format}" if format != "html" else "text/html"
Confidence
93% confidence
Finding
https://api.twittershots.com/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal