ClawHub

X Brand Operator

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about automating an X/Twitter brand account, but it can make unattended public posts, replies, likes, and follows without strong approval or account-scope controls.

Install only if you intentionally want an agent to operate a specific X/Twitter brand account. Use a dedicated xurl app and browser profile, verify the active account before enabling browser fallback, make cron jobs visible and time-limited, require review before public posts and replies, set strict per-run limits for likes/follows/replies, and confirm Telegram recipients before sending summaries or drafts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad enough to activate on common requests like scheduling tweets or automating a Twitter account, which can route users into a high-impact automation skill without clearly signaling that it performs live posting, engagement, and scheduling. In this context, overbroad invocation is dangerous because the skill can cause real account actions and persistent automation on a brand account, increasing the chance of accidental misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The browser fallback performs direct live actions on the user's X account, including composing and submitting posts, but the skill does not require an explicit warning, preview, or confirmation step before execution. This is especially risky because browser automation uses the authenticated user profile, so a mistaken invocation or malformed content generation can immediately publish unwanted content from a real brand account.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs fully autonomous account-modifying actions such as liking, replying, and following, but does not include an explicit warning or consent boundary for these external side effects. In a cron-driven workflow, this increases the chance of unattended actions being performed on a live social account, which can cause reputation damage, policy violations, or unintended engagement at scale.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The workflow writes generated content to a local filesystem path without clearly warning the user that files will be created or overwritten in the workspace. While lower impact than live posting, silent local writes can expose sensitive content, create persistence on shared machines, or interfere with existing files if paths are misconfigured.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal