X Post Fetcher

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed browser-automation skill for collecting X/Twitter posts into a local report, with credential/session caveats but no artifact-backed malicious behavior.

Install only if you are comfortable letting an agent-controlled isolated browser access X.com. Prefer logging in manually in the browser window rather than sending passwords through chat, review generated reports before sharing, and avoid using it for private/protected content or high-volume scraping.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger section includes broad natural-language patterns plus a catch-all phrase for similar requests, which can cause the skill to activate in contexts the user did not clearly intend. Because this skill launches browser automation, navigates to external sites, and may prompt for login, accidental activation expands the chance of unintended web actions and credential-handling workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal