dfsgdfgdfgddfsdfsdfsdfsdfsd1111

Security checks across malware telemetry and agentic risk

Overview

This is a narrow X/Twitter search helper that sends user-entered searches to xAI using the user's XAI_API_KEY, with no evidence of hidden access, persistence, or destructive behavior.

Install only if you are comfortable sending search text, handle filters, date filters, and media-analysis options to xAI under your XAI_API_KEY. Avoid using it for secrets, confidential project names, sensitive personal data, or searches you would not want processed by a third-party API provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill documentation indicates access to environment variables and an external networked API, but no explicit permissions are declared. That creates a transparency and governance gap: users or orchestrators may invoke a capability that can read secrets and transmit user queries externally without a clear permission boundary.

Vague Triggers

Medium

Confidence: 74% confidence
Finding: The invocation description is broad enough to match many generic requests about social media or online discussion, which can cause unintended activation. In practice this can lead to unnecessary external API calls and disclosure of user prompts to a third party when the user did not explicitly ask to use X search.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation describes usage but does not clearly warn users that their search terms are transmitted to xAI's external API for processing. This is a privacy and data-handling issue because users may enter sensitive topics, names, or internal information assuming the search is local or platform-native.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The description contains broad trigger phrases like 'find tweets', 'search X/Twitter', and 'look up what people are saying on X', which can match many ordinary user requests and cause the skill to be invoked more often than users expect. In a skill that sends queries to an external service, overbroad activation increases the chance of unintended data disclosure or use of a third-party tool without clear user awareness.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The usage section shows how to run searches but does not warn that the user's query will be transmitted to xAI/X infrastructure. Because search terms may contain sensitive topics, internal project names, personal data, or investigative prompts, the lack of a visible disclosure can lead to unintended sharing with an external provider.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal