X402 X Tweet Fetcher

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly disclosed paid Xcatcher workflow, but users should treat the payment step, API key, and downloaded files carefully.

Install only if you trust Xcatcher and intend to pay for its service. Before sending USDC, verify the live quote, recipient address, amount, and quote freshness. Do not share terminal logs or buy.json if they contain the API key, and delete or secure downloaded task files if the results are sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill performs financially sensitive actions, handles an API key, and writes downloaded files locally, but it does not present an explicit up-front warning that these steps can spend funds, create credentials, and persist artifacts on disk. In an agent setting, missing consent boundaries increases the risk of unintended purchases, accidental credential exposure, and surprising local side effects.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal