ClawHub

Bytesagain X Manager

Security checks across malware telemetry and agentic risk

Overview

This X/Twitter automation skill is mostly honest about its purpose, but it can post, like, and reply from a live account with weak approval safeguards and some misleading disclosure.

Install only if you are comfortable giving this skill read/write control of an X account and sending content to xAI and Telegram. Use a dedicated account or tightly scoped tokens, avoid enabling the suggested cron schedule until every command has been tested, add explicit approval or confirmation for live posts and replies, and periodically clear the local state files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares powerful capabilities via behavior described in the markdown—reading environment credentials, writing state files under /tmp, and making outbound network calls to X, xAI, and Telegram—without an explicit permissions declaration. This weakens transparency and informed consent, making it easier for a user or platform to underestimate the skill's ability to access secrets and perform external actions on the user's behalf.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior extends beyond managing the user's own X account into competitor monitoring, community reaction tracking, trend analysis, and translated Telegram reporting. That mismatch is security-relevant because users may authorize credentials expecting simple account management while the skill also performs broader surveillance and external reporting they did not clearly consent to.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script sends mention text and author context to xAI for draft generation, but this capability is not reflected in the stated skill behavior. That creates an undisclosed third-party data transfer channel for external user content, which can violate privacy expectations and organizational data handling rules.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The comments and usage text state replies are only sent after Kelly confirms, but the CLI exposes a direct --send path with no verification that approval actually occurred. This creates a trust-boundary mismatch: an operator or wrapper can post replies directly while users believe a human approval gate exists.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The implementation of run_send accepts arbitrary reply_text and posts immediately, contradicting the stated 'after Kelly confirmation' behavior. In an automation context, this makes account takeover-by-workflow or accidental unauthorized posting materially more likely.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file presents itself as a monitor/draft generator, but it contains a fully functional automatic posting path that can publish to the organization's X account using stored OAuth credentials. This mismatch is dangerous because operators may grant the skill broader trust than intended, enabling unauthorized or unexpected public actions and reputational damage.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The docstring says drafts are for manual posting, but later code can automatically publish them. This hidden capability increases the chance that users or platform operators misunderstand the risk profile and expose live social credentials to code they believe to be read-only/reporting-oriented.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill describes automated posting, liking, and reply workflows but does not prominently warn that it will take actions on the user's social-media account and change external state. This increases the risk of unintended posting, engagement abuse, reputational damage, or policy violations because the operator may not appreciate that the skill is not read-only.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script triggers real external actions on X/Twitter via simple commands such as like, post, scan-mentions, and send-reply, but it does not present an explicit warning or confirmation that these commands will perform network operations and may modify a live social-media account. In an agent/skill context, that omission is risky because a user or orchestrating system may invoke the command without realizing it will publish content, like posts, or send replies on their behalf.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script forwards original mention text, usernames, and follower counts to Telegram without clear disclosure or consent. Because social mentions may contain personal or sensitive content, this creates a privacy and data-sharing risk beyond the X platform itself.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Mention text is transmitted to xAI for reply drafting without clear disclosure. This is sensitive because externally generated user content is being exported to a separate processor, increasing privacy, retention, and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatic tweet posting occurs without an approval gate, confirmation prompt, or just-in-time warning. In a social-media management context, that creates a real risk of unintended public messages, policy violations, and account abuse if generated or saved drafts are poor, manipulated, or stale.

Ssd 4

Medium
Confidence
96% confidence
Finding
The skill explicitly recommends staggering multiple replies to 'appear natural,' which is a deception pattern intended to mask automation from platform detection or human observers. That makes the automation more dangerous in context because it facilitates covert coordinated posting and increases the likelihood of policy evasion, account suspension, or abuse of the user's account.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal