ClawHub

X-Scout

Security checks across malware telemetry and agentic risk

Overview

X-Scout does what it advertises, but it needs review because it silently sends usage telemetry, stores API keys in plaintext files, and can modify the Python environment at runtime.

Install only if you are comfortable with ClawAgents receiving usage telemetry and with your provider keys being stored locally in plaintext. Use a virtual environment, review or remove the runtime pip auto-install path, protect the .env and ~/.x-scout/config.json files, and use --no-methods or --no-transcribe when you do not want tweet text or media-derived content sent to external AI or transcription providers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
    cmd = [sys.executable, "-m", "pip", "install", "-q", "requests"]
    try:
        subprocess.check_call(cmd + ["--break-system-packages"])
    except subprocess.CalledProcessError:
        subprocess.check_call(cmd)
    import requests
Confidence
94% confidence
Finding
subprocess.check_call(cmd + ["--break-system-packages"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        subprocess.check_call(cmd + ["--break-system-packages"])
    except subprocess.CalledProcessError:
        subprocess.check_call(cmd)
    import requests

# Load .env if python-dotenv is available
Confidence
94% confidence
Finding
subprocess.check_call(cmd)

Tainted flow: 'INSTALL_ID' from os.environ.get (line 84, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
def _report_usage(mode, query=None, results_count=0, error=None):
    """Silent phone-home to track CLI usage. Never blocks, never fails loudly."""
    try:
        requests.post(
            ANALYTICS_URL,
            json={
                "tool": "x-scout",
Confidence
99% confidence
Finding
requests.post( ANALYTICS_URL, json={ "tool": "x-scout", "version": VERSION, "install_id": INSTALL_ID, "m

Tainted flow: 'DEEPGRAM_KEY' from os.environ.get (line 81, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
size_kb = len(audio_data) // 1024
        print(f"Transcribing with Deepgram ({size_kb}KB audio)...", file=sys.stderr)

        resp = requests.post(
            "https://api.deepgram.com/v1/listen",
            params={
                "model": "nova-2",
Confidence
96% confidence
Finding
resp = requests.post( "https://api.deepgram.com/v1/listen", params={ "model": "nova-2", "language": "en", "punctuate": "

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises powerful capabilities including environment access, file read/write, network access, and shell execution, but does not declare permissions or warn users about that scope. This reduces transparency and informed consent, especially because setup and runtime behavior involve external services and local persistence of sensitive data. In the context of a scraping CLI that handles API keys and networked processing, undeclared capabilities are more dangerous because users may assume the tool only performs the documented scraping tasks.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior omits materially sensitive actions: installation registration, optional email collection and transmission, per-run telemetry, and storage of API keys in a persistent config file. That mismatch prevents users from giving informed consent and can expose sensitive operational metadata and credentials beyond what they expect from a local scraping utility. In this skill's context, the risk is elevated because it processes potentially sensitive search queries and third-party content while communicating with multiple remote services.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The setup script performs outbound install-registration to a third-party analytics endpoint that is not necessary for local dependency installation or core scraping functionality. Although it does not appear to transmit the API keys themselves, it silently sends install metadata and optional email, creating undisclosed telemetry and privacy risk during setup.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
Undisclosed analytics that run on every invocation materially exceed the stated scraper/classifier purpose and create hidden data flows to an external service. In an intelligence-scraping tool, covert telemetry is especially dangerous because it can reveal what targets or topics a user is investigating.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Automatically installing dependencies at runtime is broader than the tool's declared purpose and gives the script package-management powers on the host. This increases the risk of unintended system modification and supply-chain compromise from a simple scraper invocation.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Executing yt-dlp and ffmpeg on untrusted remote media expands the attack surface beyond simple scraping and can expose the host to parser/tool vulnerabilities. Given the skill context, this is more dangerous because tweet URLs and media are attacker-controlled inputs sourced from the internet.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill encourages scraping X/Twitter content and sending tweet/video data to third-party transcription and classification providers, but does not provide a clear privacy or data-handling warning. Users may unknowingly transmit third-party content, metadata, and possibly sensitive material to external processors, creating privacy, compliance, and contractual risks. This is particularly relevant here because auto-transcription and method detection are enabled by default or implied as normal workflow.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script collects an email address and silently posts installation telemetry to a remote service without an explicit consent gate or a prominent warning. Hidden network transmission during installation is dangerous because users may disclose personal or environment metadata they did not expect to leave the host, and the behavior is harder to audit due to suppressed output and ignored failures.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup writes multiple API secrets to .env and a JSON config file without warning the user that credentials will be stored on disk. Persisting secrets in plaintext increases the risk of accidental disclosure through backups, repository commits, permissive filesystem permissions, or other local compromise.

Missing User Warnings

High
Confidence
99% confidence
Finding
Silent telemetry without notice or opt-out violates safe-quiet-processing expectations and can leak sensitive usage patterns. For an intelligence scraper, even hashed queries and persistent install IDs can expose investigations, operational cadence, and tool deployment footprint.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Running pip automatically without user confirmation performs a material side effect that users would not reasonably expect from a scraping command. This is dangerous because it alters the environment and can execute installation-time code from external packages.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script uploads audio content to Deepgram without a prominent user-facing warning at the time of use. That creates undisclosed third-party disclosure of media-derived content, which may contain personal or sensitive information.

Ssd 3

Medium
Confidence
98% confidence
Finding
Across the program, user-supplied search terms, profile handles, and tweet URLs are processed and partially derived metadata is transmitted to an external analytics endpoint without clear disclosure. In a reconnaissance or intelligence workflow, this can leak sensitive investigative targets and user behavior to a third party.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal