ClawHub

Xint

Security checks across malware telemetry and agentic risk

Overview

This X/Twitter research skill also bundles broad account controls, file-upload features, and local server/package-management functions that are not consistently disclosed.

Install only if you want a powerful X/xAI automation tool and are comfortable granting broad OAuth permissions. Prefer read-only use first, avoid granting tweet.write unless removed or justified, configure bearer auth before running any package API server, and do not use collection sync on directories containing private files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (52)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill exposes sensitive capabilities including environment access, file reads/writes, shell execution, and network access, but does not declare an explicit permissions model. This creates a transparency and consent gap: an agent or reviewer may underestimate what the skill can do, increasing the chance of unintended credential use, filesystem modification, or external data exfiltration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose presents the skill as an X research/engagement CLI, but the detected behavior set is materially broader and includes MCP server exposure, package publishing, local API services, admin/release automation, moderation actions, and additional data-management functions. This mismatch is dangerous because users and orchestrators may invoke the skill under a narrower trust assumption than its real execution surface warrants.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The manifest states the skill is not for enterprise features, yet later documentation describes package management and publish-to-catalog workflows that are enterprise-style capabilities. This inconsistency can mislead users and policy systems about the scope, trust level, and data-sharing implications of the skill.

Scope Creep

Medium
Confidence
94% confidence
Finding
The documentation introduces additional package API tools, a new credential (`XINT_PACKAGE_API_KEY`), and implied external services that are not declared in the manifest's credentials or network endpoints. Undeclared credentials and services are risky because they bypass expected review controls and can enable unseen data flows to external systems.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The file explicitly states it can obtain article content from pages that plain HTTP cannot, including some paywalled content, which indicates deliberate circumvention of publisher access controls via a third-party model provider. That creates legal, policy, and data-handling risk, and can expose users and operators to misuse of protected content outside intended access boundaries.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The sync command can upload bookmark-derived knowledge to xAI Collections, which is a third-party remote destination not clearly aligned with the declared bookmark-sync target of Obsidian in the skill metadata. Because bookmarks may contain sensitive research, links, and inferred summaries, this creates an unexpected data-sharing path and weakens informed user consent.

Intent-Code Divergence

Low
Confidence
87% confidence
Finding
The help text describes sync as exporting markdown files, but the implementation also supports cloud upload to xAI Collections via --cloud. This mismatch can mislead users about where their bookmark-derived data may go, increasing the chance of unintended disclosure.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The capability manifest exposes `lists`, `blocks`, and `mutes` as supported operations even though the skill metadata says those are non-goals or not part of the expected user-facing scope. In agent ecosystems, manifests are often trusted for permissioning and tool selection, so overstating capabilities can cause an orchestrator to grant broader OAuth scopes or invoke account-mutating actions the user did not intend.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file adds a substantial xAI knowledge-base and local directory sync capability that is outside the declared X/Twitter-focused scope of the skill. Scope expansion matters because it enables local file collection, upload, and persistent external storage in a way users would not reasonably expect from an X research tool, increasing the chance of covert or accidental data exfiltration.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code can upload arbitrary local files and recursively sync directories to external xAI APIs via filesUpload() and cmdSyncDir(), including automatic discovery with find. In the context of an X/Twitter CLI, this is unexpectedly powerful and dangerous because it can transmit sensitive local content off-host without a narrow business need tied to the advertised functionality.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The health diagnostics hard-code a broad REQUIRED_OAUTH_SCOPES set that includes write and moderation permissions such as bookmark.write, like.write, follows.write, block.write, mute.write, list.write, and tweet.write. For a tool described primarily as search, analysis, monitoring, and bookmark sync, validating and normalizing these elevated scopes encourages over-privileged OAuth grants and increases blast radius if tokens are stolen or misused.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The auth doctor treats block/mute/list/tweet write scopes as required health criteria even though the skill metadata says it is not for posting tweets and emphasizes research/analysis workflows. This can pressure operators to grant unnecessary high-impact permissions, creating avoidable account-manipulation capability if the OAuth token is compromised.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This file implements full X Lists management, including create, update, delete, and member modification operations, but the declared skill scope says lists are not part of the stated feature set and emphasizes other operations like search, bookmarks, likes, and following. Capability drift is dangerous because it exposes privileged write actions that users, reviewers, and policy controls may not expect, increasing the risk of unauthorized or accidental account changes through OAuth-backed API calls.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This file adds block/mute moderation capabilities that are outside the declared skill scope, which is primarily search, analysis, engagement, and a limited set of social actions. Hidden or undocumented write-capable account controls increase the risk of unexpected account manipulation, especially in agentic contexts where users may authorize broad OAuth scopes without realizing moderation actions are available.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The add/remove moderation operations implement direct account-control actions that are not justified by the stated purpose of the skill. In an assistant-integrated tool, such undocumented actions are dangerous because they expand the set of side effects the agent can perform on a user's social account, enabling accidental or unauthorized blocking/muting of other users.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The OAuth scope string requests very broad permissions, including write access and offline access, while the skill description primarily emphasizes search, analysis, monitoring, and bookmark-related workflows. Over-scoped OAuth grants violate least privilege and increase the blast radius if the local token file is stolen or the skill is later extended/misused to perform unintended account actions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code explicitly includes block, mute, list, and tweet.write capabilities that are not justified by the stated non-goals and core purpose of the skill. These unnecessary write privileges enable potentially harmful actions against the user's account and social graph if tokens are compromised or if downstream code abuses the granted permissions.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The governance deletion endpoint deletes packages based only on package existence and does not verify that the targeted package belongs to the authenticated workspace. An authenticated caller in one workspace can supply another workspace's package_id and cause unauthorized deletion, creating a cross-tenant integrity violation with destructive impact.

Description-Behavior Mismatch

Low
Confidence
92% confidence
Finding
The TUI stores sensitive user-entered values such as searches, usernames, tweet references, locations, and article URLs in a persistent local JSON file under the project data directory. This creates an information disclosure risk because anyone with access to the local machine, workspace, backups, or synced project folders can recover prior user activity, and the behavior is not clearly disclosed in the skill metadata or UI.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This script performs GitHub branch-protection administration across multiple repositories, which is unrelated to the declared X/Twitter research functionality of the skill. Even though branch protection is a defensive control, bundling privileged repository-management actions into an unrelated skill expands the attack surface and can cause unauthorized or unexpected changes when the skill package is installed or reviewed incompletely.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file contains code that issues authenticated `gh api --method PUT` requests to modify branch protection settings on GitHub repositories, despite the manifest describing an X/Twitter CLI. This mismatch is dangerous because users may grant or retain GitHub credentials without realizing the package includes repository-administration capability, enabling unintended governance changes to source-control infrastructure.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This script performs GitHub repository administration by creating and updating branch protection rulesets across multiple repositories, which is outside the declared X/Twitter research functionality of the skill. In an agent context, unrelated admin capabilities increase attack surface and can be abused through accidental invocation, repurposing, or hidden maintenance actions to alter repository governance using the operator's GitHub credentials.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code embeds a GitHub governance capability that can enforce or modify branch rulesets on named repositories, despite the skill being presented as an X/Twitter analysis tool. This mismatch is dangerous because users or orchestrators may grant credentials appropriate for social-media operations while unknowingly exposing repository-admin functionality that can change development controls and CI gating.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
This script is a full release automation pipeline that creates branches and PRs, merges them, publishes artifacts to third-party registries, edits Homebrew formulas, creates GitHub releases, and uploads release assets. Those capabilities are far outside the declared X/Twitter research scope of the skill, so if exposed through the skill they create an unnecessary high-privilege supply-chain attack surface with potential for unauthorized code publication and repository mutation.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code includes multi-repository publishing to GitHub, ClawdHub, skills.sh, and a Homebrew tap, including remote downloads, hashing, formula rewrites, commits, and pushes. In the context of an X/Twitter research skill, this is unjustified supply-chain functionality: compromise or misuse could propagate malicious or unintended releases across several distribution channels from one script.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal