Awaek

Security checks across static analysis, malware telemetry, and agentic risk

Overview

Awaek is a disclosed local X bookmark search skill, with the main caution that it can surface private saved posts when invoked by broad phrases like “my bookmarks.”

Install only if you want your agent to access and search your saved X bookmarks locally. Prefer explicit Awaek-prefixed requests, keep xurl credentials out of chat, and avoid using it on a shared machine unless the local bookmark database location is acceptable.

SkillSpector (3)

By NVIDIA

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill invokes local Python scripts and the `xurl` CLI, which implies file access to local bookmark databases and network access to the X API, but it does not declare corresponding permissions. That mismatch weakens platform trust boundaries because users and the host may not have clear visibility or enforcement over what the skill can access.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger phrase `my bookmarks` is broad and likely to match ordinary user speech outside the intended X-bookmark workflow. This can cause accidental invocation of the skill in unrelated contexts, leading to unnecessary access to local bookmark data or network-backed sync/search actions.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The activation phrases are broad enough to match ordinary conversation such as 'my bookmarks' or 'saved posts', which can cause the skill to trigger unexpectedly. In this skill, unexpected triggering is meaningful because it can shift the assistant into operating on local bookmark data and invoking local commands without sufficiently clear user intent.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal