ClawHub

X Twitter Poster

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about posting to X from a logged-in browser, but it asks for broad Chrome session control and can publish without a final confirmation.

Install only if you are comfortable giving the skill control of a logged-in Chrome session. Use a dedicated Chrome profile or disposable X account, review post_tweet.js, avoid running it without an explicit tweet argument, require a manual confirmation before posting, and close the Chrome remote-debugging port when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The example code attaches to the user's existing Chrome session over CDP and selects an already-open page via browser.contexts()[0].pages()[0], which gives visibility into arbitrary tabs unrelated to posting a tweet. In this context, CDP access is especially sensitive because it inherits the user's authenticated browser state and can expose page content, cookies, and session context across sites.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill claims to post tweets, but it also includes a separate function to read recent tweets from profiles via the user's authenticated browser session. This expands the skill's capabilities beyond its stated purpose and creates unnecessary access to account/session-backed browsing data, violating least privilege and increasing the risk of unauthorized scraping or data collection.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code can navigate to any supplied X profile and scrape recent tweet text using the user's logged-in browser context over CDP. In a skill whose advertised purpose is only posting tweets, this unjustified data-access path is dangerous because it enables covert collection of third-party content and potentially other authenticated-view data not necessary for posting.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad, generic requests like '发推' and '发一条推文', which can overlap with normal conversation and cause the skill to activate unintentionally. Because activation leads to browser automation against a logged-in session, accidental invocation can result in unintended posts being sent as the user.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal