ClawHub

Twitter Scraper

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Twitter/X scraper, but its stealth, proxy-based anti-detection, and persistent profile/media collection make it review-worthy before installation.

Install only if you are comfortable running a social-media scraper that is designed to evade automation detection and use residential proxies. Confirm your use is authorized and lawful, inspect any external code before running it, use restricted API/proxy credentials, avoid large unsupervised scraping runs, and delete exported profile/media data when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly documents collection, export, and local storage of profile data, engagement metrics, and downloaded thumbnails/media, but provides no privacy, consent, retention, or lawful-use warning. In a browser-based scraping skill targeting social-media profiles, that omission increases the risk of misuse, over-collection, and improper downstream handling of personal data.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The documentation instructs users to export proxy usernames and passwords via environment variables but does not warn that these are sensitive secrets that can be exposed through shell history, logs, screenshots, CI output, or process inspection if mishandled. While environment variables are a common mechanism, omission of secret-handling guidance can lead to credential leakage and unauthorized proxy use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal