ClawHub

JS X Monitor

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent X.com account monitor, but users should understand that notifications can send monitored tweet content to external messaging channels.

Install if you are comfortable letting the skill read monitored X.com accounts through your logged-in browser session and send new-tweet summaries plus links to the messaging channels configured in ~/.openclaw/x-monitor/config.json. Use only approved notification channels, consider a dedicated low-privilege X.com browser profile, and stop the cron job when background monitoring is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README promotes forwarding monitored X.com content to external messaging platforms such as Feishu, WeChat, and Discord, but does not clearly disclose that tweet/account data will leave the local environment once notifications are sent. This can mislead users because the document also emphasizes privacy and local deployment, creating a risk of unintended third-party data sharing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to reuse their existing browser login session for X.com automation without warning that the skill and connected extension may gain access to authenticated session context. In a monitoring/automation skill, this increases the risk of account misuse, overbroad data access, or unintended actions if the extension, gateway, or skill is compromised.

Missing User Warnings

Low
Confidence
94% confidence
Finding
The skill stores account configuration and monitoring state on disk in the user's home directory, but the description does not prominently warn users about this persistence behavior. While not an exploit by itself, undisclosed local storage can expose monitored account lists, notification settings, and usage history to other local users, backups, or endpoint collection tools, creating a privacy and transparency issue.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The documentation explains notification delivery via channels such as Feishu but does not clearly warn users that monitored X.com content and related metadata may be transmitted to external services. This can lead to unintended data disclosure, especially if users monitor sensitive accounts or operate in regulated environments.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal