ClawHub

xqueue

Security checks across malware telemetry and agentic risk

Overview

XQueue appears to be a real X/Twitter scheduler, but it deserves review because it can post publicly on a schedule and has under-scoped credential and posting behaviors.

Install only if you want queued files to become live X posts without asking each time cron runs. Use dry-run first, set credentials explicitly with environment variables, review the Keychain fallback before relying on it, keep backups if deleteAfterPost is enabled, and check queued/backlog files carefully before enabling cron.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
74% confidence
Finding
The skill performs extra notification behavior through OpenClaw in addition to its stated file-based tweet scheduling purpose. That expands the skill's ability to send user-visible messages outside the core function, which can be abused for spam, misleading alerts, or covert signaling if untrusted content is routed into notifications.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill accesses credentials from environment variables and the macOS Keychain, which is a privileged capability not obvious from a simple file-based scheduler description. In this context the access is functionally related to posting to X, but it still materially increases risk because the code can retrieve secrets from broader local stores if deployed in a sensitive environment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly states that posted files are deleted after posting and that cleanup runs automatically, but it does not prominently warn users that content may be permanently removed as part of normal operation. In a file-based scheduler where the filesystem is the primary interface, insufficient warning about destructive behavior can lead to accidental loss of drafts, media, or scheduled content if users misunderstand how the tool handles files.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The README instructs users to supply X API credentials via environment variables and optionally macOS Keychain, but it does not explain the sensitivity of those secrets or the risks of exposing them through shell history, logs, shared environments, or misconfigured cron jobs. While not an exploit by itself, this omission increases the chance of credential leakage and unauthorized posting from the linked X account.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill prominently describes automatic posting and default deletion of files after posting, but it does not present a strong upfront warning that this triggers live external actions and destructive local file removal. In an agent context, this can cause unintended social-media posts or irreversible content loss if a user misunderstands the behavior or enables automation without safeguards.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal