ClawHub

X Reader

Security checks across malware telemetry and agentic risk

Overview

This is a coherent content-reading skill, but users should understand that it can contact external services, retain fetched content, and reuse user-created platform sessions.

Install this only if you are comfortable with URLs, fetched content, and sometimes audio being sent to third-party services such as Jina, Groq, Telegram, and platform APIs. Do not use saved logins if you do not want authenticated scraping, avoid private or internal links, and leave OUTPUT_DIR/OBSIDIAN_VAULT unset if you do not want Markdown archives.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The Playwright fallback explicitly loads a saved authenticated X session and uses it to fetch content that may otherwise require login. In a generic fetcher with no clear access-control justification or per-request consent, this can cause the agent to access account-scoped or restricted content using stored user credentials, expanding data exposure beyond public content.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The public read() API is documented and named as a fetch/read operation, but it also performs implicit persistence to inbox storage and markdown output as a side effect. In an agent skill, hidden writes can leak sensitive fetched content, create unintended data retention, and violate caller expectations or sandbox assumptions, especially when processing untrusted or private URLs.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README explicitly states that in Claude Code, sending a YouTube/Bilibili/podcast link causes the video skill to auto-trigger and produce a transcript and summary. That broad trigger can cause unintended network access, content retrieval, and transcription of user-provided links without an explicit confirmation step, which is risky in an agent setting where simple link sharing may not imply consent to execute external actions.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README promotes fetching, transcribing, and digesting content from external platforms, including Whisper transcription via Groq and other third-party services, but does not prominently warn users that URLs and content may be transmitted off-host. In a skill context, this can lead to accidental disclosure of sensitive links or media to external services and unexpected network activity.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill’s trigger conditions are very broad and match common, everyday requests like analyzing an article or extracting key takeaways. This creates a real risk of unintended auto-invocation on routine user messages, causing the agent to fetch external content or process data when the user may not have explicitly intended to use this skill. In this context, the danger is increased because the skill can pull content from many external platforms and chain into transcription or scraping workflows.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill mentions one-time login and saved sessions for Playwright fallback, but it does not present this as a prominent user warning or explain the privacy and security implications of session persistence. Users may unknowingly authorize browser automation that stores authenticated state, which could later be reused to access personal accounts or sensitive content. The risk is higher here because the skill targets social/content platforms where authenticated sessions often expose private or semi-private data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function forwards a user-supplied URL to https://r.jina.ai, which means the full target URL and any embedded sensitive query parameters are disclosed to an external third-party service. Even if intended as a content-extraction feature, this creates a privacy and data-handling risk because users may not realize their requested URLs are being sent off-platform, and internal-only or sensitive links could be exposed.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code silently uses a saved authenticated session when one exists, with only a log message and no explicit runtime warning or consent flow to the user. In an agent setting, this increases the risk of surprising credential use and unintended access to non-public or personalized content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function uploads downloaded audio content to a third-party service when subtitles are unavailable, but the code provides no explicit user-facing consent or disclosure at the point of transfer. This creates a privacy and compliance risk because video content may contain sensitive or copyrighted material, and users may reasonably expect local processing only.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Fetched remote content is automatically written to markdown without any user-visible confirmation, sanitization gate, or explicit consent. In this skill context, URLs may point to sensitive internal, private, or user-supplied content, so automatic persistence increases the risk of secret retention, accidental disclosure, and downstream content injection into tools that later render or process those markdown files.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal