ClawHub

xAPI

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate xapi CLI gateway, but it gives agents broad external API, account, posting, OAuth, and payment-related abilities without enough user-control boundaries.

Install only if you trust xapi.to and the npx xapi-to package. Treat it as a broad external API gateway: avoid sending secrets or confidential content, protect the stored API key, and require explicit human approval before OAuth binding, posting, POST/PUT/PATCH/DELETE calls, or any top-up/payment flow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill metadata presents xapi primarily as a data-access and AI-processing tool, but the body also instructs agents to perform account registration, persistent API key configuration, and connectivity setup. This expands the operational scope from passive retrieval into account lifecycle management, which can cause an agent to create or modify external accounts and store credentials without the user clearly consenting to those side effects.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documentation expands from a narrow set of described use cases into broad service discovery and arbitrary third-party API invocation, including proxying many external services. That mismatch is dangerous because an agent may be induced to call unexpected endpoints or transmit user data to unanticipated third parties under the benign-looking umbrella of 'xapi' access.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill includes write-capable Twitter/X operations via OAuth-enabled official API endpoints, despite being described mostly as a read-oriented information retrieval skill. Hidden or under-disclosed write functionality can lead agents to post content or otherwise act on external accounts, creating integrity, reputational, and account-abuse risks.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill documents balance checks and top-up/payment commands even though billing is not part of the stated purpose. Payment-related functions are highly sensitive because they can trigger financial commitments, expose payment URLs, and normalize an agent initiating funding actions unrelated to the user's original data-retrieval request.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Account funding capability is unjustified in the context of a skill advertised for external data retrieval and AI text processing. If an agent follows these instructions automatically, it could initiate payment flows or encourage account funding without a clearly bounded business need, creating direct financial risk and potential credential leakage through payment URLs.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger description is extremely broad, including cases where the user merely mentions xapi or wants to discover available services. Overbroad routing increases the chance of unintended invocation, which can cause unnecessary external calls, data transfer to third parties, account setup prompts, or exposure to write/billing features outside user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill encourages sending user queries and text to external services but does not prominently warn that user-provided content may be transmitted to xapi and onward to third-party APIs. This omission creates privacy and compliance risk because sensitive prompts, text, identifiers, or account-linked content could be shared externally without informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal