ClawHub

X Extract

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed X/Twitter extraction helper, but it under-scopes browser profile/session use and optional shell-based media downloads.

Install only if you are comfortable with an agent opening X/Twitter pages in a browser profile and optionally downloading media files. Use a fresh non-logged-in profile, avoid private or account-only content, and approve media downloads only after checking the source URL and destination path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill’s stated purpose is tweet extraction, but it also instructs the agent to invoke `exec` with `curl`/`wget` to fetch arbitrary media URLs and write files locally. Expanding from browser-only extraction into shell-based network access and filesystem writes increases risk substantially, because any mistake in URL validation or downstream handling can lead to unintended downloads, policy bypass, or misuse of local execution capabilities.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documentation advertises credential-free tweet extraction via browser automation, but the workflow also includes downloading remote media to local disk and reporting file paths. That is a broader capability than users and reviewers would reasonably expect from the skill description, which can lead to over-privileged behavior and unsafe execution paths being triggered under the guise of simple content extraction.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill tells the agent to execute shell commands and save files without requiring an explicit warning or confirmation to the user. Hidden side effects like local writes and command execution are dangerous because they reduce user awareness, make abuse easier, and can turn a simple extraction request into unanticipated code-adjacent operations on the host environment.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase at line 11 is broad enough to match generic requests that are not clearly limited to tweet extraction, which can cause the skill to be invoked unexpectedly. In an agentic environment, overbroad routing increases the chance of misfires, unintended browsing/scraping actions, and incorrect handling of user intent.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The trigger set includes multiple broad phrases and wildcard URL patterns that lack clear scope boundaries, making accidental invocation more likely across unrelated user requests. Because this skill performs browser automation against external sites, an overly permissive trigger surface increases operational risk by causing unintended web access or scraping behavior when a different skill or no skill should be used.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal