ClawHub

Neomano X (Tweet Publisher + Image)

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it drafts and posts to X only after explicit approval, but it handles sensitive X credentials.

Install only if you intend to let the agent help post to your X account. Review the final text and image before typing PUBLICAR or PUBLISH, use a dedicated least-privilege X app/token where possible, avoid sharing command history or logs containing OAuth values, and rotate tokens if exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill requires environment variables, shell execution, and network access to function, but these capabilities are not explicitly declared as permissions. This creates a transparency and review gap: an operator may invoke the skill without realizing it can access secrets and make external API calls, which increases the risk of unintended credential exposure or unauthorized outbound actions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script accepts oauth-token, oauth-token-secret, and oauth-verifier via command-line arguments, which can be exposed through shell history, process listings, job control logs, and system monitoring tools. Because this utility handles live OAuth material for a social-media publishing skill, disclosure could let another local user or monitoring system capture credentials and complete or replay parts of the authorization flow.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal