ClawHub
Back to skill

Security audit

X Engagement

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed X/Twitter engagement assistant, but it should be reviewed because it can operate a logged-in account and keep long-lived local profiles of user facts, comments, and personas.

Install only if you are comfortable with a skill that can use your logged-in X/Twitter browser session after confirmation and store local engagement memory. Keep per-action approval enabled for every like, follow, and comment; review the Browser Relay package before running it; and regularly inspect or delete the local memory, especially user facts, personas, and daily logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (26)

Description-Behavior Mismatch

Medium
Confidence
79% confidence
Finding
The description does not clearly disclose the documented daily review/reporting workflow. Even if scheduling is manual, users should be informed that the skill is designed to support periodic review and reporting of activity data.

Description-Behavior Mismatch

Low
Confidence
79% confidence
Finding
The description does not clearly disclose the documented daily review/reporting workflow. Even if scheduling is manual, users should be informed that the skill is designed to support periodic review and reporting of activity data.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The document says it does not auto-install cron or modify crontab, but later describes a fixed 22:00 daily review that pushes reports to the user. This contradiction can mislead users about persistence and background behavior, which is dangerous when the skill also stores account activity and behavioral data.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documented `detect_pattern` logic checks for the generic keyword `点` before checking `工作日`/`周末`, so inputs like `工作日晚上8点,周末随机3次` would be classified as `fixed` instead of `weekday_weekend`. In this skill, that can silently produce the wrong schedule configuration and cause the agent to act at unintended times, undermining user control over automated social-media activity.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
`parse_fixed_time` applies `早/下/晚` checks against the entire `user_input` for every matched hour, so a string containing both morning and afternoon/evening markers can incorrectly shift all times. For example, the documented example with morning, afternoon, and evening times would not reliably produce the stated output, which can lead to incorrect automation schedules and unintended browser-driven actions.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The onboarding flow instructs the agent to run a local shell script (`./scripts/setup-cron.sh`) as part of normal setup, which expands the skill from browser automation into arbitrary local command execution. Even if the script is intended only to generate reminder templates, executing local scripts during onboarding creates an unnecessary trust boundary crossing and could be abused if the script content is modified, unsafe, or unexpected to the user.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that the skill will scrape 100 tweets for Persona learning but does not provide a clear privacy notice, consent boundary, or data-handling disclosure. In a social-media automation context, collecting profile content at onboarding can create privacy, compliance, and user-expectation risks, especially if operators do not understand what is stored or reused.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents persistent storage of comment history, user facts, and daily logs without clearly warning about retention, sensitivity, or deletion controls. In this context, the memory system increases risk because it aggregates behavioral and conversational data over time, which could expose personal information, create profiling concerns, or leak private context if mishandled.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The memory system explicitly records user statements and comment history but provides no clear privacy notice, retention limits, or storage protections. This creates risk of unnecessary collection and persistence of personal data, especially if stored locally in readable files.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The persona-learning stage describes collecting around 100 posts from an account without clear notice about data usage, consent boundaries, or retention. Large-scale content collection can create privacy, compliance, and reputational risk, particularly if the account is not the user's own.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The daily review and report-pushing flow implies ongoing analysis and outward reporting of activity, but the user is not clearly warned in the top-level description. Undisclosed continuous analysis increases privacy and expectation-management risk, especially when tied to engagement histories and evolving playbooks.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow explicitly performs `post_comment(proposed)` and `record_comment(tweet, proposed)` as part of an automated pipeline, but the document provides no requirement for explicit user confirmation, notice of external account actions, or disclosure that interaction data will be persisted. In a social-media automation skill, silent posting and logging can cause unauthorized account activity, reputational harm, and privacy surprises even if the feature is intended.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill reads persona data and user-history/facts from memory files to shape comments, but the document does not mention consent, data minimization, sensitivity boundaries, or transparency around this profiling behavior. Because this data influences outward-facing posts, undisclosed use of memory-derived personal context increases privacy risk and can expose inferred or sensitive information in generated comments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions automate posting public comments on X/Twitter, including browser control and comment submission, but do not require any explicit user confirmation, warning about irreversible public posting, or disclosure of account-activity/privacy consequences. In an agent skill context, this increases the risk of unintended public actions, reputational harm, and unsafe autonomous use of a logged-in social-media account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs the agent to record every comment, user statement, and preference, but provides no consent, notice, minimization, or access-control guidance. In the context of a social-media engagement skill, this creates a privacy risk because personal data and behavioral profiles are collected by default and could be retained or reused without user awareness.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The retention policy explicitly marks user facts and personas for permanent retention, despite those files containing personal statements, inferred preferences, and profile data. Indefinite retention increases the blast radius of any compromise and creates ongoing privacy/compliance exposure because sensitive user-derived data is kept without a defined business necessity or deletion path.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill directs scraping up to 100 tweets/comments from a selected account, analyzing them, and storing a persona profile locally without an explicit notice about collection, retention, and intended use of that data. In this context, the feature is core to the skill, but the lack of informed consent and transparent data-handling guidance creates a real privacy and compliance risk rather than a purely theoretical issue.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The onboarding documentation describes writing persona/config files, creating directories and marker files, and later running a local script, but it does not provide a consolidated warning that local state will be modified. This can lead users to authorize actions without understanding the filesystem and execution side effects, increasing the chance of unintended persistence or unsafe script execution.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The playbook hard-codes a rule that any post not in Chinese or English should receive an English reply, without any user consent, locale detection fallback, or justification. In an engagement automation skill, this can cause misleading, culturally inappropriate, or spam-like interactions across languages, increasing the risk of unwanted outreach and reputational harm.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script prints full comment text, timestamps, and author identifiers directly to stdout, which can expose personal data or sensitive engagement history to anyone with terminal access, shell history capture, logs, CI output, or shared monitoring. In the context of a social-media engagement skill that aggregates user interaction data daily, this increases privacy risk because the output is specifically tied to identifiable accounts and their content.

Ssd 3

Medium
Confidence
93% confidence
Finding
The instructions explicitly tell the agent to retain user-provided personal information in memory/history files. Persisting personal narrative details without strict minimization or consent can expose sensitive information, especially if files are unencrypted or broadly accessible on the local system.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill directs the agent to log all comments and daily interaction data, creating a broad activity trail tied to the user's account behavior. Comprehensive retention of engagement data increases the blast radius of local compromise and may exceed what is necessary for the feature to work.

Ssd 3

Medium
Confidence
96% confidence
Finding
The core principles ('record everything', check history before commenting) direct broad, systematic collection of user content and interaction history. In an engagement automation skill, this is dangerous because it normalizes mass profiling and persistent storage without guardrails, making privacy abuse or secondary misuse more likely.

Ssd 3

High
Confidence
99% confidence
Finding
This section explicitly stores user statements, inferred traits ('喜欢吃火锅', '对 AI 感兴趣'), dislikes, activity patterns, and style preferences in long-lived files. The combination of raw statements plus inferences is especially risky because inferred profiling can be inaccurate, sensitive, and more harmful if leaked or used for manipulation in a social engagement context.

Ssd 3

Medium
Confidence
93% confidence
Finding
The daily log format includes user interactions and subjective notes such as mood and topics to avoid, creating a plain-language dossier over time. Such free-form logs often accumulate sensitive details, are hard to govern, and can be repurposed for surveillance or manipulation beyond the original operational need.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal