ClawHub
Back to skill

Security audit

X Bookmarks Digest

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed X/Twitter bookmark digest tool that uses xurl to read bookmarks, analyzes them locally, and stores only small run-tracking state.

Install only if you are comfortable letting the skill read bookmarks from the X/Twitter account currently authenticated in xurl. Review every proposed git clone, package install, ClawHub install, skill scaffold, Obsidian save, or memory save before approving it, and use the documented dry-run flag when testing without updating state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to use shell commands, access the network via xurl, and read/write a local state.json file, but it declares no permissions. That creates a transparency and consent problem: operators may not realize the skill can make outbound requests and persist local state, increasing the chance of unintended data access or modification.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The architecture explicitly expands behavior from producing a digest into persisting bookmark-derived content to memory or Obsidian. That is a broader data-handling action than the stated purpose and can cause unintended retention of third-party or personal content without explicit user consent, increasing privacy and scope-creep risk.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger descriptions are broad enough that normal conversation like 'check my bookmarks' or 'review bookmarks' could invoke the skill without strong intent boundaries. Because the skill can fetch authenticated data and propose follow-on actions, loose activation increases the chance of unintended execution and privacy-impacting access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The architecture proposes auto-installing promising skills via clawhub or scaffolding new ones as part of next actions, but it does not require explicit confirmation before system-modifying operations. This creates a path from untrusted bookmark content to package installation or code generation, which is dangerous because bookmarked posts can reference malicious tools, typo-squatted packages, or unsafe commands.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Broad trigger phrases like 'x bookmarks', 'twitter bookmarks', and 'review bookmarks' can cause accidental activation during ordinary conversation. In this skill, accidental activation matters because it can initiate shell commands, network access, and state updates tied to a user's private bookmark data.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The activation guidance uses loose examples instead of strict conditions, which increases the likelihood the agent will infer activation from casual discussion. Because the workflow reaches external services and processes personal bookmark content, ambiguity raises the risk of unintended data retrieval and persistence.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
90% confidence
Finding
The trigger phrase 'review bookmarks' overlaps with the built-in command 'review', creating a shadowing/confusion risk. That can cause the wrong handler to run and unintentionally invoke this skill's network, shell, and local state operations when the user intended a different review action.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal