ClawHub

youmind-x-article

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it also includes under-disclosed abilities to delete X posts and use broader YouMind account features than a tweet writer needs.

Review carefully before installing. This skill needs a YouMind API key and can publish publicly through your connected X account. Only use it when you are comfortable with shared ~/.youmind storage, local post metadata files, and the fact that the package contains an under-disclosed delete command for X posts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (24)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares powerful executable tools (`Bash(node dist/cli.js *)`, `npm install`, `npm run build`) and clearly relies on network access and local config files, but it does not expose an explicit permissions model to constrain or inform those capabilities. This creates a transparency and governance gap: users and orchestrators may invoke a skill that can access credentials and external services without clear permission boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill is presented as a tweet writer/publisher, but the documented behavior extends to deleting tweets, uploading local media, saving output artifacts locally, and invoking broad YouMind API surfaces such as search, archiving, boards, materials, crafts, and image generation. That mismatch weakens informed consent and can enable unexpectedly destructive or privacy-impacting actions under a benign-seeming skill description.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata and declared purpose are limited to writing and publishing tweets/threads, but the CLI also exposes a destructive delete command. This creates hidden capability expansion: any agent or user invoking the skill could remove existing posts despite that behavior not being disclosed in the manifest, violating least privilege and increasing the risk of unauthorized or unexpected content deletion.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
A write-and-publish social posting skill does not need delete privileges to fulfill its stated function, so exposing deletion is an unjustified destructive permission. In an agent setting, this broadens the action surface from content creation to content removal, enabling accidental or malicious deletion of tweets if the command is invoked.

Description-Behavior Mismatch

Low
Confidence
89% confidence
Finding
The skill persists tweet/thread metadata to a local JSON file under the project output directory, even though its stated purpose is publishing to X. This creates an extra data sink for post content, URLs, and IDs that may surprise users, leak sensitive draft material, or leave recoverable artifacts on shared systems.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The file exposes a delete-post endpoint even though the skill metadata only describes creating and publishing tweets/threads. This creates capability drift: an agent or prompt flow intended only for publishing could invoke destructive functionality not expected by the user, enabling unauthorized deletion of existing posts if the connected account has access.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The exported deleteXPost function performs a destructive remote action against the connected X account, but that capability is not justified by the skill's stated purpose of writing/publishing tweets. In an agent setting, hidden destructive actions are dangerous because a compromised workflow, prompt injection, or misrouted tool call could delete user content without clear user intent.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
This file exposes content-creation capabilities beyond the skill’s declared purpose of researching and publishing tweets to X, specifically saving arbitrary markdown documents into YouMind and, elsewhere in the same shared client, supporting unrelated generative actions. In an agent-skill context, this kind of scope expansion increases the attack surface because prompt injection or misuse can drive the agent to write or persist data the user did not intend, violating least privilege and creating opportunities for unauthorized actions in the connected account.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The client supports broad retrieval across boards, materials, crafts, and web search, which exceeds the manifest’s narrower tweet-writing function. In a skill connected to a user knowledge base, overbroad read capabilities are dangerous because a compromised or manipulated workflow can enumerate and exfiltrate unrelated private content while appearing to perform benign tweet research.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Image generation through a chat/agent mode is not aligned with the declared tweet-writing/publishing purpose and introduces an additional powerful tool path that can be triggered indirectly. Because it creates a long-lived agent chat that auto-loads tools and polls for results, it expands both capability and execution complexity, making prompt-injection-driven misuse or unauthorized content generation more likely in the context of a connected user account.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrase `tweet` is extremely broad and likely to match many ordinary requests, increasing the chance this skill is auto-selected when the user did not intend to publish content or use YouMind services. In this context, overbroad routing is risky because the skill can build software, read shared config, and potentially publish to a connected external account.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger `write thread` is ambiguous and can overlap with non-X writing tasks such as forum posts, email threads, or threaded discussions. Because this skill is capable of external publication, ambiguous invocation raises the risk of accidental routing into a workflow that prepares or publishes social-media content unexpectedly.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The playbook includes a Translate/Localize mode and defines outputs in a target language or for a different audience without an explicit step requiring the user's consent and target-language confirmation. In a publishing skill connected to a live X account, this can cause unintended public posting in the wrong language or locale, misrepresenting the user's intent or brand.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The translation guidance says to rebuild the thread natively in the target language and adapt examples to the target audience, but it never requires explicit user opt-in or verification of the intended audience. In this skill's context, that increases the risk of silently changing meaning, audience targeting, or cultural framing before posting to a connected social account.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The pipeline explicitly instructs the skill to read a local API key from `~/.youmind/config.yaml`, which is sensitive credential access. In an agent context, silently reading local secrets without an explicit user-facing notice and consent boundary is dangerous because it normalizes secret retrieval and could expose or misuse credentials if the skill is triggered unexpectedly or behaves unsafely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The pipeline describes publishing content to YouMind/X APIs and optionally archiving content back to YouMind, but it does not require a clear warning that user content, media URLs, post metadata, and generated text will be transmitted to external services. Because this skill can cause public posting and third-party data transfer, lack of explicit notice and confirmation materially increases the risk of accidental disclosure, unintended publication, and privacy breaches.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The fallback instructs the skill to save adapted text locally under `output/` if publishing fails, but it does not warn the user that a local file will be created. Even though this is lower impact than credential access or public posting, silent local persistence can leave sensitive draft content on disk unexpectedly, creating privacy and data retention risks.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The module writes published tweet/thread metadata and content-related details to local disk without making that side effect explicit in this file's public contract. Even if intended for diagnostics, local persistence can expose posting history and content to other local users, backups, or forensic recovery.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This function issues a destructive network request that deletes a remote post, yet the skill description does not disclose deletion behavior and the file shows no visible confirmation or safeguard. In a publish-focused skill, undisclosed destructive operations materially increase the risk of accidental or malicious content removal from the user's X account.

Session Persistence

Medium
Category
Rogue Agent
Content
## Draft Location Rule

**Canonical:** write local tweet Markdown files to `~/.youmind/articles/x/<slug>.md`. This shared home directory is available to all YouMind skills — see [`shared/YOUMIND_HOME.md`](shared/YOUMIND_HOME.md).

**Legacy fallback** (if `~/.youmind/` is not writable): `skills/youmind-x-article/output/<slug>.md`.
Confidence
91% confidence
Finding
write local tweet Markdown files to `~/.youmind/articles/x/<slug>.md`. This shared home directory is available to all YouMind skills — see [`shared/YOUMIND_HOME.md`](shared/YOUMIND_HOME.md). **Legacy

Session Persistence

Medium
Category
Rogue Agent
Content
Platform skills MUST work in both modes:

### Standalone mode
User invokes the platform skill directly (`"Write an article about X for this platform"`):
- No content brief is provided
- Skill follows its own pipeline from scratch
- **Fallback for author DNA**: skill MAY read `~/.youmind/author-profile.yaml` to apply user voice/preferences. If the shared profile does not exist, proceed with platform defaults. Legacy fallback paths are optional migration aids, not the canonical location.
Confidence
87% confidence
Finding
Write an article about X for this platform"`): - No content brief is provided - Skill follows its own pipeline from scratch - **Fallback for author DNA**: skill MAY read `~/.youmind

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
80% confidence
Finding
The trigger `write thread` conflicts with the common built-in verb `write`, creating shadowing risk where a generic authoring request may invoke this skill unexpectedly. In a skill that can access external services and publish to X, command ambiguity can lead to unintended content generation or publishing workflows.

Overly Broad Trigger

Low
Category
Trigger Abuse
Confidence
74% confidence
Finding
The Chinese trigger `推特` is very short and broadly matches any mention of Twitter/X, including casual discussion rather than an intent to publish. The risk is contextual rather than severe, but short broad triggers can cause accidental activation of a skill with external-account side effects.

Overly Broad Trigger

Low
Category
Trigger Abuse
Confidence
76% confidence
Finding
The trigger `发推` is also short and ambiguous, making accidental invocation more likely in multilingual conversations. While not inherently malicious, broad trigger matching becomes more dangerous here because the skill may interact with a connected X account and shared YouMind credentials.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal