ClawHub

fxTwitter

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it extracts a tweet ID and asks the third-party fxTwitter API for public tweet data.

Install only if you are comfortable sending requested tweet IDs to api.fxtwitter.com and relying on that service's returned metadata. Avoid using it for sensitive or private content, and remember that third-party request logs may reveal which posts were looked up.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill performs network access to a third-party API but does not declare that capability or any equivalent permission boundary. Undeclared external access reduces transparency, makes review harder, and can cause users or hosting frameworks to send data off-platform without clear consent or policy enforcement.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description omits a user-facing warning that processing an X/Twitter link causes data to be sent to api.fxtwitter.com. Even if only the tweet ID is used, the user's requested content and associated metadata are disclosed to a third party, creating privacy and compliance risk through lack of informed consent.

External Transmission

Medium
Category
Data Exfiltration
Content
## Endpoint

```
GET https://api.fxtwitter.com/:tweetId
```

Extract the tweet ID from the URL:
Confidence
76% confidence
Finding
https://api.fxtwitter.com/

External Transmission

Medium
Category
Data Exfiltration
Content
## Usage

```bash
curl -s "https://api.fxtwitter.com/1234567890" | jq '.tweet'
```

Key fields in `.tweet`:
Confidence
74% confidence
Finding
https://api.fxtwitter.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal