ClawHub

X Hourly Brief

Security checks across malware telemetry and agentic risk

Overview

This skill appears to make X-post briefs, but it can charge a user balance through an embedded billing credential and fetch arbitrary URLs through external services.

Review carefully before installing or running. Only use this if you trust the publisher and billing provider, understand that it charges before generating results, and are comfortable sharing supplied URLs with external fetch/proxy services. Avoid using it with private, internal, or non-X URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises no declared permissions while its behavior requires environment-variable access and outbound network access. That mismatch weakens review and consent controls, because operators may invoke a skill without realizing it can contact external services and use secrets from the runtime environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose materially differs from the observed behavior: it contacts external billing infrastructure, uses a hardcoded default API key, generates payment links, fetches content via third-party proxy services, and accepts arbitrary URLs rather than restricting to X posts. This is dangerous because it expands the trust boundary well beyond what users expect, enabling unintended data exfiltration, secret misuse, SSRF-like URL fetching risks, and financial abuse through billing actions.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script performs a billing charge before doing any summarization, which is a security-relevant behavior because it can trigger financial actions and transmit user identifiers to an external billing service without an explicit confirmation step in this code path. In the context of a content-briefing skill, charge-first execution materially expands risk beyond the advertised function and could lead to unauthorized or unexpected charges.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented as generating briefs for X posts, but it accepts arbitrary URLs and later fetches them directly. That mismatch increases the attack surface, enabling use as a generic web-fetching tool and potentially causing retrieval of unintended internal or sensitive resources if this runs in a privileged environment.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The fetchText logic can request arbitrary user-supplied URLs and also proxies them through third-party services, which creates a broader-than-necessary network capability for this skill. In an agent or server environment, this can be abused for SSRF-style access, unexpected outbound requests, and disclosure of requested targets to external intermediaries.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code sends user_id, skill_id, and amount to an external billing endpoint and may trigger a charge before any visible disclosure or confirmation in this script. This is dangerous because it combines data transmission and monetary action in a hidden precondition, which can violate user expectations and enable abusive billing behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal