Back to skill

Security audit

showname

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward X/Twitter search helper that uses a user-provided xAI API key to send search requests to xAI and return results.

Install only if you are comfortable providing an xAI API key and sending your search queries and filters to xAI. Avoid using it for secrets, private investigations, or sensitive internal topics unless that external processing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares environment-variable and network-dependent behavior in metadata and usage, but does not expose explicit permissions or equivalent user-facing consent boundaries. This can lead to under-informed execution where a user or orchestrator invokes a networked skill that accesses secrets and sends data externally without clear declaration.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The description uses broad activation phrases like finding tweets, looking up what people are saying, or finding social posts about a topic, which can match many ordinary user requests. Over-broad routing increases the chance that sensitive or unrelated prompts are sent to this external-search skill unintentionally, expanding privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explains API-key setup and real-time X searches but does not clearly warn that user queries and possibly derived search parameters will be transmitted to an external service. In a social-search context, users may provide sensitive topics, names, or investigative queries that they do not expect to leave the local agent environment.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.