ClawHub

Twitter/X scraper with Apify actors

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it runs Apify actors to collect Twitter/X followers and optionally enrich them with emails, with privacy and cost cautions for users.

Install only if you intend to use Apify for Twitter/X audience collection. Keep APIFY_TOKEN in a secret or environment variable, avoid pasting it into shared chats or shell history, use only trusted Apify actor IDs, set modest limits, and enable email enrichment only when you have a lawful and appropriate basis to process contact data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly promotes optional email enrichment and export of collected data to CRM, Google Sheets, and outbound workflows, but provides no warning about privacy, consent, platform terms, or lawful handling of personal data. In this skill context, that omission matters because the tool is designed for lead generation and outreach, increasing the likelihood that users will collect and process personal data in ways that create compliance, privacy, and reputational risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill is designed to collect follower/following data and optionally enrich usernames with email addresses, which involves processing personal and contact data at scale. Without clear privacy warnings, lawful-use constraints, or data-handling guidance, users may deploy it in ways that violate privacy expectations, platform terms, or internal compliance requirements, leading to misuse and downstream legal or reputational harm.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly defines workflows for collecting Twitter/X follower data and enriching it with email addresses, but it provides no privacy notice, lawful-use constraints, consent expectations, retention guidance, or data-handling safeguards. In a skill designed for audience collection and email enrichment, that omission increases the likelihood of misuse for unsolicited contact, profiling, or non-compliant personal-data processing.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The troubleshooting guide’s minimal smoke test includes `--include-emails`, which normalizes collection of enriched email data in a basic example without any privacy warning, lawful-basis guidance, or data-minimization caveat. In a skill specifically designed for Twitter/X audience collection and optional email enrichment, this makes unnecessary sensitive-data collection more likely during routine testing and increases the chance of misuse or non-compliant processing.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill sends collected Twitter/X usernames and optional email-enrichment inputs to third-party Apify actors without any explicit user-facing disclosure or consent mechanism in the script. In a data-collection/enrichment skill, this raises real privacy and compliance risk because users may not realize that profile identifiers and derived contact data are being shared with an external processor.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal