X Search 1.0.0

Security checks across malware telemetry and agentic risk

Overview

This is a narrow X/Twitter search helper that uses the user's xAI API key to send search queries to xAI, which matches its stated purpose.

Install only if you are comfortable sending X/Twitter search terms and filters to xAI under your API key and quota. Prefer a dedicated or least-privilege key, avoid sensitive queries, and store the key in an environment or config location with appropriate local access controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill declares it requires an API key and invokes a Python script that will necessarily make outbound requests to xAI, but the skill metadata does not explicitly declare permissions for environment access and network use. This weakens reviewability and consent because users and tooling may not get a clear, enforceable signal that the skill can read secrets and transmit data externally.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The setup instructions tell users to export an API key and store it in local configuration without warning about shell history, shared terminals, or plaintext config exposure. This can lead to credential leakage through command history, dotfiles, backups, screenshots, or improperly permissioned local config files.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal