ClawHub

X Tweet Speedread

Security checks across malware telemetry and agentic risk

Overview

This paid X-post summarizer mostly matches its purpose, but its built-in billing key and caller-supplied user ID create an unclear charge authorization boundary.

Install only if you trust the publisher and SkillPay billing model. Treat each run as billable, avoid private or sensitive X URLs, and require explicit user confirmation before invoking the script with a user ID.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions even though it uses environment access and network capabilities. This weakens transparency and reviewability, making it harder for users and platforms to understand that the skill can contact external services and use sensitive configuration such as billing-related environment variables.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior materially differs from the observed behavior: the skill reaches undisclosed third-party services, appears to include embedded billing credentials, and has billing/pricing behavior that does not clearly match the public description. In a charge-first skill, this mismatch is especially dangerous because users may be billed or have their data sent to external services without informed consent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill transmits user identifiers and requested URLs to third-party billing and content-fetch endpoints without clear consent, minimization, or privacy controls. In this context, that is dangerous because X post URLs and user IDs can be sensitive metadata, and the code also forwards content requests to external proxy services beyond the original platform.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal