ClawHub

Xint Rs

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent X/Twitter intelligence CLI, but it needs Review because it requests broad account-write OAuth access and can upload local files or bookmark-derived knowledge to xAI with limited containment.

Install only if you are comfortable granting this tool X account authority and sending selected data to xAI. Prefer read_only policy mode, avoid OAuth setup unless you need account actions, review requested X scopes carefully, and do not run collections upload/sync or bookmark-kb cloud sync on directories or files containing private material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (42)

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The file implements xAI collection and file-management operations that are outside the stated X/Twitter intelligence skill scope. Capability drift is dangerous because users or reviewers may believe the skill only performs X research while it also supports unrelated remote document ingestion, increasing the chance of unintended data handling and covert exfiltration paths.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script can enumerate arbitrary local files via user-supplied directory/glob arguments and upload them to remote xAI services, including bulk sync behavior. In the context of an X/Twitter intelligence skill, this is substantially more dangerous because the capability is not justified by the advertised purpose, making accidental or unauthorized exfiltration of local documents more likely.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
This file exposes document-management and collection APIs, including file upload and document search, which materially expand the skill beyond its stated X/Twitter research purpose. Hidden or weakly scoped capabilities increase the risk that an agent can be induced to exfiltrate local data or build unintended retrieval pipelines under the guise of social-media research.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The files_upload function reads an arbitrary local path and sends the raw contents to an external xAI endpoint. In an agent setting, this creates a direct exfiltration primitive: prompt-controlled or loosely validated file paths could expose secrets, configuration, credentials, or private documents unrelated to the user’s X research task.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The OAuth scope set requests broad write-capable permissions including tweet.write, follows.write, block.write, mute.write, list.write, bookmark.write, and like.write, while the skill metadata says it is primarily for research/intelligence and explicitly not for posting tweets. This violates least privilege and materially increases blast radius if the tool, token store, or dependent code is compromised, because an attacker could perform account actions instead of only reading data.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The auth module enables account-management and posting-capable permissions that are not justified by the skill's stated primary use as X research/analysis tooling. In context, that mismatch is security-relevant because users may reasonably grant access expecting passive intelligence collection, not active modification of their account.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
Several request helpers accept any path beginning with "http" and use it directly instead of constraining requests to api.x.com. Because these methods also attach bearer or OAuth Authorization headers, a caller that can influence the path can exfiltrate X API tokens to an arbitrary host, creating an SSRF-style outbound request primitive plus credential leakage.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The generic post_json method can send arbitrary JSON payloads to any URL, which exceeds the stated X-intelligence-only scope and provides a general exfiltration channel. In an agent skill context, this is more dangerous because collected search results, user data, or tokens could be forwarded off-platform without clear user awareness.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The help text understates what `sync` can do by describing it as only a local markdown export, while the same command can create cloud collections and upload documents when `--cloud` is present. This is a security-relevant transparency failure because users may invoke the command based on misleading documentation and unintentionally transmit bookmark-derived data to external services.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The CLI advertises a `--since <dur>` filter for limiting extraction to a time window, but the extraction implementation never applies that option. Users may believe only recent bookmarks are processed, while older bookmarks are still fetched and sent for analysis, causing unintended over-collection and possible privacy exposure.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file exposes collection management, file upload, and directory sync behaviors that extend beyond the skill’s declared X/Twitter intelligence scope. Scope expansion matters because an agent or user invoking this skill for social-media research may unintentionally gain filesystem-to-external-service data movement capabilities that were not disclosed in the manifest, increasing the risk of covert exfiltration or misuse.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The upload command accepts an arbitrary local path, verifies only that it exists, and sends the file to xAI using an API key. In the context of a skill presented as X/Twitter research tooling, this creates an unjustified local-file exfiltration path that could expose sensitive documents if the command is invoked directly or indirectly.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The sync-dir flow enumerates local files matching user-controlled globs, uploads them to an external service, attaches them to a remote collection, and writes a report locally. That combination of bulk local data discovery plus outbound transmission is significantly broader than the stated X/Twitter use case and could facilitate large-scale accidental or unauthorized disclosure of local content.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file implements write-capable engagement actions including like, unlike, bookmark, unbookmark, follow, and unfollow, while the skill metadata says posting is a non-goal. Although these are not tweet creation or DMs, they are still account-modifying side effects and expand the tool beyond an apparently read-oriented research/intelligence scope, which can mislead downstream agents into performing unintended actions on a user's account.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The health check hard-codes OAuth scopes including tweet.write, block/mute read/write, and other engagement/moderation permissions that exceed the stated non-goals of the skill. Over-requesting privileges increases blast radius if tokens are compromised and encourages users to grant unnecessary access, violating least-privilege expectations.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code treats block/mute read/write scopes as required even though the skill description focuses on search, analysis, trends, follower diffing, and related intelligence tasks. This creates unnecessary authority over a user's account safety settings, making token misuse more harmful than the feature set warrants.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The command router exposes create, update, delete, and member-management operations even though the skill metadata frames the tool as research/search/analysis oriented and explicitly says it is not for posting or engagement-style actions. This capability mismatch can cause an agent or user to invoke account-modifying actions under a misleading trust boundary, increasing the risk of unintended state changes on the user's X account.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The members add/remove flows let the skill actively curate account relationships by changing list membership, which goes beyond passive intelligence gathering. In an agent setting, this is dangerous because ambiguous user prompts about monitoring or research could be translated into unauthorized account modifications affecting visibility, organization, or operational workflows.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file adds active account-moderation capabilities (listing, blocking, muting, unblocking, unmuting) even though the skill metadata frames the tool as a research/intelligence CLI and explicitly says it is not for engagement/posting-oriented actions. That mismatch is security-relevant because an agent or user invoking the skill for passive research could unexpectedly gain write access that changes the user's X account state, increasing the chance of unauthorized or surprising side effects.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code performs authenticated POST/DELETE requests to X moderation endpoints using the caller's OAuth token, enabling block/mute and reversal actions. In a skill intended for search, analysis, and reporting, these write capabilities are dangerous because prompt confusion, tool misuse, or deceptive task phrasing could cause unwanted account actions against third parties, directly altering the user's social graph and moderation state.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The stream command accepts a user-supplied webhook URL and later posts matched tweet events to that destination, creating a data exfiltration path to arbitrary external endpoints. Even if intended for integrations, this broadens the tool from local monitoring into unrestricted outbound delivery, which can leak monitored content or metadata to attacker-controlled infrastructure if the URL is influenced by untrusted input.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The executable command dispatcher exposes active tweet and moderation capabilities such as Tweet, Follow/Unfollow, Like/Unlike, Bookmark, Blocks, and Mutes, which conflicts with the skill metadata claiming it is 'not for posting tweets' and positioning the tool primarily for search and analysis. In an agent setting, this mismatch is dangerous because upstream policy or users may rely on the manifest to grant the skill access in contexts where write actions should be prohibited, enabling unintended state-changing operations on X accounts.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
The README promotes OAuth-backed commands that change account state, including blocks, mutes, follows, unfollows, and list membership changes, without prominent warnings that these are live write operations. In an agent or automation context, unclear documentation can lead to unintended account actions, abuse of delegated OAuth permissions, or user surprise when the tool modifies a real X account.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The activation phrases include broad natural-language triggers like 'search x', 'check x for', and 'what are people saying about', which can cause accidental invocation in ordinary conversation. In a skill with network access, credentials, exports, and optional outbound webhooks, unintended activation can lead to unnecessary external API calls, data retrieval, or cost-incurring actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code transmits local file contents to a third-party API without any visible disclosure, consent flow, or safety interlock in the module. Even if the upload is intentional at a higher layer, the absence of safeguards here makes accidental privacy breaches and unauthorized data sharing more likely.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal