ClawHub

X 长文发布

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate X Articles draft helper, but it automatically reads and persists local X/Twitter session cookies, so users should review it before installing.

Install only if you are comfortable letting the skill read local X/Twitter cookies and store them for Playwright reuse. Keep the storage-state file private, delete it after use if you do not want session reuse, avoid committing or syncing it, consider using a dedicated browser profile, and review Markdown image URLs and matched local image filenames before creating a draft.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly instructs use of scripts that read local files, write HTML and storage-state artifacts, access browser cookies, and may download remote images, yet it declares no permissions. This creates a capability/expectation mismatch that can bypass user review and increase the chance of sensitive local data access without clear disclosure.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The parser makes outbound HTTPS requests for any remote image URL embedded in Markdown, which introduces network side effects in a component described as local parsing/preparation. This can leak the user's IP/user-agent to third parties, enable SSRF-style access to internal endpoints if untrusted Markdown is parsed, and cause unintended data flow beyond the expected trust boundary.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
When a referenced image is missing, the parser searches broad user directories like Downloads, Desktop, and Pictures and silently substitutes a same-named file. That behavior can pull unrelated personal files into the publishing workflow, causing accidental disclosure of local content outside the article directory.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The default prompt authorizes a broad sequence of sensitive actions: parsing user content, exporting local X/Twitter cookies, reusing them for Playwright login, and driving a browser session. Because the trigger language is not tightly constrained to explicit user consent for credential/cookie access, the skill could be invoked in situations where local authentication material is copied or reused more broadly than intended.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes live authentication cookies to a predictable cache path on disk without enforcing restrictive file permissions or warning that the file is highly sensitive. If another local user, process, backup system, or accidental sync/commit accesses the file, those cookies could be reused to impersonate the account in Playwright or other tooling.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code performs remote image downloads and can write HTML to a user-specified file path without an explicit interactive warning or consent mechanism about these side effects. In an automation skill, hidden network and filesystem actions are more dangerous because users may assume parsing is read-only and may not notice external requests or local file creation.

Unpinned Dependencies

Low
Category
Supply Chain
Content
Pillow>=10.0
browser-cookie3>=0.20
Confidence
97% confidence
Finding
Pillow>=10.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
Pillow>=10.0
browser-cookie3>=0.20
Confidence
97% confidence
Finding
browser-cookie3>=0.20

YARA rule 'info_stealer': Information stealer patterns (credential harvesting, browser data theft) [malware]

High
Category
YARA Match
Content
- 已有 Markdown,要发到 X Articles
- 发布流程报错,需要排查
- 仓库里还没有 X Articles 发布能力,需要补一个 publish-only 流程

如果用户没有现成文章,或者其实在问“X 上该写什么”,切给更合适的 Skill。
Confidence
98% confidence
Finding
cookies.py --no-cache --browser edge

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal