ClawHub

Twitter Browser Automation

Security checks across malware telemetry and agentic risk

Overview

This Twitter/X automation skill is mostly coherent, but it gives the agent under-disclosed power to change a logged-in account through likes, reposts, follows, unfollows, and bookmarks.

Install only if you are comfortable letting an agent operate a logged-in X/Twitter account in Chrome. Confirm every public or account-changing action, especially reposts, follows, unfollows, likes, and bookmarks, and consider using a dedicated browser profile or account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest describes posting, searching, analytics, threads, and replies, but the skill also implements liking, reposting, following, unfollowing, and bookmarking. That scope mismatch matters because an orchestrator or user may invoke the skill under incomplete assumptions, enabling account-affecting actions that were not transparently declared.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Follow and unfollow are account-management actions with persistent effects on a user's social graph and account reputation, yet they are outside the manifest's stated purpose. In a browser-automation skill operating on a logged-in account, undeclared account-management features increase the chance of surprising or unauthorized state-changing behavior.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
Like, repost, and bookmark actions are state-changing engagement operations that affect the user's account and public activity, but they are not disclosed in the manifest. Even if individually lower risk than follow/unfollow, hidden engagement capabilities can still be misused or unexpectedly triggered in a logged-in browser context.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger examples are broad enough to capture many ordinary social-media requests without tightly constraining what operations are allowed. In combination with undeclared state-changing capabilities and browser control over a logged-in X session, broad triggers increase the risk of over-invocation and unintended account actions.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill requires rewriting all tweet text, including user-authored content, through a mandatory style-transformation pipeline without opt-in. That can alter user intent, tone, compliance language, disclaimers, or exact wording before publication, which is risky for a posting tool acting on behalf of a user.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal