fsdfsdf

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent X/Twitter search helper that sends user-provided search queries to xAI, with no evidence of hidden persistence, local data scraping, or destructive behavior.

Install only if you intend to let the agent search X through xAI. Configure an XAI_API_KEY you are comfortable using, and do not include secrets, private personal data, or confidential business topics in search queries unless you are comfortable sending that text to xAI.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill description includes broad, everyday triggers like 'find tweets', 'search X/Twitter', and 'look up what people are saying', which can cause the agent to invoke this skill for loosely related requests. Because the skill sends user queries to an external third-party API, overbroad activation increases the chance of unnecessary data disclosure and unintended external calls.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The usage and notes describe how to run the search but do not warn that the user's query will be transmitted to xAI's external API and used with the x_search tool. Without a clear disclosure, users may unknowingly send sensitive prompts, names, or topics to a third-party service, creating privacy and compliance risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal