ClawHub

ADHD X Bookmark Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it reads X bookmarks, stores an archive locally, and can send summaries to channels the user configures.

Install only if you are comfortable letting an agent read and summarize your X bookmarks. Use the bird CLI rather than pasting cookies, keep webhook URLs in environment variables, choose private delivery channels, and periodically delete or prune the local bookmark archive if it contains sensitive personal or work material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The document makes an absolute security/privacy claim that 'nothing is sent to external services except your configured delivery channel,' but elsewhere it explicitly relies on X API access and optional webhook-based integrations. Misleading data-flow statements are dangerous because users may authorize the skill under false assumptions about what external services receive their bookmark data and metadata.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The README advertises automated Discord summaries and creation of a searchable archive of X bookmarks, which likely involves collecting, storing, and transmitting potentially sensitive user content. Presenting these features without any privacy, retention, or sharing warnings can cause users to expose private interests, account-linked data, or confidential bookmarked material to third-party systems unintentionally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal