ClawHub

X Publisher

Security checks across malware telemetry and agentic risk

Overview

This is a real X/Twitter account tool, but it can delete or modify public account content with OAuth credentials and lacks enough guardrails around those actions.

Install only if you intend to let an agent operate the connected X account. Use the least-privileged X app/token available, require human approval for posts, likes, and especially deletions, and treat the scheduling instructions as unreliable unless a separate scheduler is reviewed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares required environment variables containing API credentials, but the findings indicate permissions/capabilities are not explicitly declared in a formal permissions model. This creates a transparency and governance gap: consumers may not realize the skill can access sensitive secrets and perform authenticated actions on their X account. In an agent setting, hidden credential use materially increases risk because it enables account actions without clear upfront consent boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The manifest says the skill posts tweets, threads, replies, and quote-tweets, but the documentation exposes additional capabilities to like tweets, delete tweets, and read the user's timeline. This mismatch is dangerous because it understates the skill's authority and can mislead users or automated reviewers into granting trust to a tool that can perform broader, potentially destructive account actions. Hidden delete and timeline access materially raise the abuse potential of the credentialed skill.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documentation advertises operational capabilities beyond the manifest description, including scheduling, timeline access, likes, and deletion. In a security review context, incomplete disclosure is a real issue because it prevents accurate risk assessment and informed consent, especially when the skill operates with OAuth credentials tied to a real social-media account. The broader the undeclared feature set, the greater the chance of misuse or unintended actions.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill description says it posts tweets, threads, replies, and quote-tweets, but the code also supports liking tweets, deleting tweets, and reading the authenticated user's timeline. This scope mismatch is a real security concern because it grants broader capabilities than users or orchestrators would reasonably expect, increasing the risk of unauthorized destructive actions and unnecessary data access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents a delete command for tweets without any warning, confirmation step, or safety guidance. This is dangerous because an agent or user can irreversibly remove content from the authenticated account by mistake, and the presence of live OAuth credentials makes accidental or malicious misuse immediately actionable. In a posting-oriented skill, destructive account actions deserve additional friction and explicit disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The delete operation immediately issues a DELETE request for any provided tweet ID with no confirmation, dry-run mode, or secondary validation. In an agent context, a mistaken prompt, command injection into arguments, or misuse of the skill could irreversibly delete content without user awareness.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal