ClawHub
Back to skill

Security audit

X Media Parser

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do more than parse X/Twitter media links: it can create aria2 download jobs using hardcoded RPC settings and saves files locally, with incomplete disclosure and user control.

Install only if you intentionally want both X/Twitter media parsing and aria2-based downloading. Before use, inspect and change the aria2 RPC endpoint, secret, and output directory, avoid passing sensitive/private tweet URLs, and run download actions only when you are comfortable with external API requests and local file creation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill advertises shell-capable usage and companion scripts but declares no permissions, which can mislead users and host platforms about its actual execution capabilities. Undeclared shell access increases risk because downstream tooling may allow command execution or file/network side effects without an explicit trust decision.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is only to parse X/Twitter posts and return direct media links, but the described behavior extends to automatic Aria2 task creation, local file persistence, and use of a hardcoded internal RPC endpoint and token. This mismatch is dangerous because users may invoke the skill expecting read-only parsing while it can trigger privileged network actions against an internal service and download content onto the system.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill claims to parse X/Twitter media links, but it also performs a state-changing action by submitting download jobs to an aria2 RPC service. Because the RPC endpoint, secret, and output directory are hardcoded inside the embedded Python, running the skill can trigger unintended downloads to a fixed internal service without meaningful user control or transparency.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The shell portion advertises configurable RPC settings via environment variables, but the Python block ignores them and instead uses hardcoded values. This mismatch is dangerous because operators may believe they are controlling the destination and credentials when the script will actually send download jobs to a fixed endpoint using a fixed secret.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill sends tweet identifiers or URLs to the vxtwitter third-party API but does not warn users that external transmission occurs. This can expose user activity, sensitive links, or metadata to an external service, which is especially relevant when users assume the tool operates locally.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The one-click download workflow encourages creating download tasks and saving files locally without clearly warning about filesystem changes and network activity. While common for downloader tools, undisclosed side effects can still surprise users, consume storage/bandwidth, or place files in sensitive mounted directories.

External Transmission

Medium
Category
Data Exfiltration
Content
## 底层实现

使用 vxtwitter API: `https://api.vxtwitter.com/Twitter/status/{tweetId}`

## 依赖
Confidence
84% confidence
Finding
https://api.vxtwitter.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.