ClawHub

X Alpha Scout

Security checks across malware telemetry and agentic risk

Overview

This skill matches its stated X/Twitter crypto-reporting purpose, but it needs review because it asks for sensitive X session credentials and can send reports to external channels without enough safeguards.

Install only if you are comfortable letting the agent and the bird CLI use an X/Twitter session for searches. Prefer a dedicated low-risk X account, store X_AUTH_TOKEN and X_CT0 in a secret manager or secure environment, never paste or log them, and rotate them if exposed. Confirm any Discord or Telegram destination before enabling delivery, and review reports before sharing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This markdown file tells users to supply an auth token and CT0 cookie and shows them being passed to a CLI command, which involves sensitive credentials. The README does not include any warning about protecting these secrets, avoiding exposure in shell history/logs, or the privacy implications of using account credentials.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The markdown directs the agent to send generated reports via Discord, Telegram, or similar channels, which can transmit analyzed user-requested content and derived intelligence to third-party services. The file does not provide a user-facing warning about external transmission, privacy implications, or verifying the user's preferred destination before sharing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The prerequisites instruct users to export X_AUTH_TOKEN and X_CT0 and use them in commands, which involves sensitive credentials. While the file names the variables, it does not warn users not to expose, log, or share these secrets or explain that the skill accesses authenticated account data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal