Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Security audit
X Tweet By Conversation
Security checks across malware telemetry and agentic risk
Overview
This skill is a disclosed X/Twitter conversation scraper that uses the user's logged-in browser session and local parsing scripts, with some accuracy and scoping caveats but no evidence of hidden exfiltration or destructive behavior.
Install only if you are comfortable with an agent using your logged-in X browser session to inspect TweetDetail network responses and save temporary raw response files locally. Treat the quote-chain claim as inaccurate: quote tweets require a separate search workflow. For sensitive accounts or private/protected content, review outputs before sharing them and avoid broad batch use unless it matches your intent.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)
Tp4
High
- Category
- MCP Tool Poisoning
- Confidence
- 98% confidence
- Finding
- This is a mismatch because the description promises a full conversation-thread harvester that collects all tweets in a thread given a conversation ID, including nested replies and quote chains, with pagination support. The actual code does not perform collection at all: one script just prints a tweet URL, and the other parses one already-captured GraphQL response file. While the parser does normalize tweet data and expose top/bottom cursors, it neither retrieves additional pages nor guarantees full-thread extraction. It also supports several endpoint types beyond conversation-thread detail, which is broader than the declared purpose.
Description-Behavior Mismatch
High
- Confidence
- 98% confidence
- Finding
- The manifest description says the skill collects the full conversation thread including 'quote chains.' However, the implementation notes later state that quote tweets referencing the conversation are not included and must be gathered via a different skill. This is a direct mismatch between the advertised scope and the actual behavior.
Intent-Code Divergence
Medium
- Confidence
- 80% confidence
- Finding
- The documentation asserts that the skill 'only reads tweet data already shown to the user,' yet the prescribed method explicitly captures and parses GraphQL network responses from TweetDetail requests. Reading network payloads is broader than merely reading what is visibly shown on the page, so the statement understates what the code/procedure actually does.
Vague Triggers
Medium
- Confidence
- 96% confidence
- Finding
- The manifest description lists a very long set of triggers including broad phrases such as "thread scraper," "conversation export," "reply chain," and especially expansive use cases like "sentiment analysis on a single viral tweet" and "controversy mapping." These are not narrowly scoped to this specific capability of collecting tweets by conversation id, so they increase the risk of unintended invocation for general social-media analysis requests.
VirusTotal
63/63 vendors flagged this skill as clean.
Static analysis
No suspicious patterns detected.