Back to skill

Security audit

X Research

Security checks across malware telemetry and agentic risk

Overview

This is a coherent read-only X/Twitter research skill that uses a documented X API token, local cache, watchlist, and optional saved drafts.

Install only if you are comfortable giving the skill an X API bearer token and paying for API reads. Use a token scoped for this purpose, monitor X API spending, avoid storing sensitive unrelated secrets in the same global env file, clear cache/drafts when researching sensitive topics, and enable heartbeat watchlist checks only intentionally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly requires environment-variable access and outbound network access, but those capabilities are not declared in the skill metadata. Hidden or undeclared capabilities reduce operator visibility and consent, making it easier for a seemingly simple research skill to access secrets and external services without clear governance.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The stated purpose presents the skill as a general X research tool, but the documented behavior also includes profile lookups, thread expansion, single-tweet retrieval, persistent watchlist management, local file writes, token loading from disk, and caching. This mismatch can mislead users and reviewers about the actual data access and persistence surface, increasing the risk of unintended monitoring, storage, or secret handling.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code silently falls back to reading a bearer token from a global dotfile under the user's home directory, expanding the skill's credential access beyond its stated environment-based configuration. In an agent-skill context, this is dangerous because invoking the skill can cause it to consume sensitive credentials from the host filesystem without explicit user awareness or per-skill scoping.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill supports a --save option that writes output to local draft files, but the user-facing description does not clearly warn about local persistence. Undisclosed file writes can create privacy, data-retention, and workspace contamination issues, especially when research may include sensitive topics or user-provided queries.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill reads a bearer token from a global credential file with no user-facing disclosure or consent mechanism, which creates an opaque privilege boundary crossing. In this context, the skill is a research tool, so implicit access to unrelated host-level secrets is broader than necessary and increases the chance of unintended credential use or leakage through downstream errors, logs, or future code changes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.potential_exfiltration

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
lib/api.ts:13

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
x-search.ts:40

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
lib/api.ts:1