XHunt Hot Tweets

Security checks across malware telemetry and agentic risk

Overview

This is a transparent read-only helper for fetching public XHunt trend pages and summarizing hot tweets in Chinese.

Install this if you want XHunt/X/Twitter trend summaries and are comfortable with the agent contacting trends.xhunt.ai. Expect Chinese output by default, and verify the manual rsync destination path if installing from GitHub.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill description includes broad trigger phrases such as requests for '热门帖子' or '给我链接+摘要', which can overlap with ordinary conversation and cause the skill to activate when the user did not explicitly ask for XHunt/Twitter trend extraction. Mis-triggering can route unrelated requests into external browsing/fetch behavior, causing incorrect tool use, unnecessary network access, and confusing responses.

Natural-Language Policy Violations

Medium

Confidence: 81% confidence
Finding: The skill is designed to always output Chinese summaries without offering language selection or clearly warning users of that restriction. In multilingual environments, this can cause unintended transformation of content, loss of nuance, or user confusion, especially if the original posts are in another language and the user expected source-language fidelity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal