ClawHub

Maverick X Mcp

Security checks across malware telemetry and agentic risk

Overview

This X integration is mostly transparent about what it does, but it grants post/delete account authority and runs unpinned downloaded code, so it needs review before use.

Install only if you are comfortable giving this skill OAuth credentials that can read and write X content, including posting and deleting. Prefer a read-only configuration or remove the write/delete tools if you only need search and timeline access, and consider pinning or vendoring the downloaded XMCP server code before using it in a sensitive environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
_touch(stamp)
    env = os.environ.copy()
    env["MCPORTER_CONFIG"] = str(config_path)
    completed = subprocess.run(["mcporter", *args.mcporter_args], env=env, check=False)
    _touch(stamp)
    timeout = int(
        os.environ.get(
Confidence
88% confidence
Finding
completed = subprocess.run(["mcporter", *args.mcporter_args], env=env, check=False)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill declares no explicit permissions, yet its documented behavior clearly relies on sensitive capabilities including environment variable access, local file interaction, shell execution, and network communication. This creates a permission-transparency gap: operators and policy systems cannot accurately assess or constrain what the skill can do, increasing the chance of over-privileged execution and unsafe deployment.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill description frames the capability as searching, reading, and working with X content, but the allowed tools include createPosts and deletePosts, which materially expand it into write/destructive actions. This creates a capability mismatch that can lead an agent or user to invoke the skill under the assumption it is read-oriented, while it is actually able to publish or remove content on the user's X account.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
deletePosts is a destructive capability that is not justified by the stated purpose of searching, reading, and working with X posts and timelines. If invoked accidentally, through prompt confusion, or by a malicious instruction chain, it could delete the user's content and cause reputational, operational, or irreversible account damage.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill metadata suggests search/read access, but the default allowlist also enables createPosts and deletePosts. That mismatch can mislead users or calling agents into invoking a tool with write/destructive side effects they did not expect, which is especially risky in a social-media skill where actions affect a real external account.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script downloads server.py and requirements.txt from a moving GitHub branch and later installs and executes them without pinning, signature verification, or hash validation. This creates a supply-chain remote code execution risk: compromise of the upstream repo, branch, network trust, or dependency set can lead to arbitrary code running on the local machine.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The patch forwards inbound Authorization headers directly to outbound X API requests and falls back to an environment token if present. In an MCP setting, this means sensitive bearer credentials are automatically reused across boundaries; if the wrapper or upstream server is compromised or behaves unexpectedly, the token can be abused to act on the user's X account, especially since write/delete tools are enabled.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal