ClawHub

Fxtwitter Extract

Security checks across malware telemetry and agentic risk

Overview

This skill is a user-run helper for fetching public X/Twitter content through FxTwitter, with a privacy disclosure gap but no hidden persistence, credential use, or account-changing behavior.

Install only if you are comfortable sending the X/Twitter URLs, tweet IDs, or handles you request to FxTwitter. Avoid using it for sensitive investigations unless that third-party exposure is acceptable; no API keys or local account credentials are required.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly documents and demonstrates outbound network access to the FxTwitter API, but the metadata does not declare that capability or obtain explicit permission. Undeclared network behavior is dangerous because users and orchestrators cannot accurately assess what data may leave the local environment before using the skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation instructs users to send X/Twitter URLs, tweet IDs, and profile handles to a third-party service without a clear warning that this data leaves the system and is subject to the external provider's logging, retention, and policy controls. This creates a privacy and data-governance risk, especially if the skill is used on sensitive investigation targets or private internal workflows.

External Transmission

Medium
Category
Data Exfiltration
Content
import json

def fetch_tweet(status_id: str) -> dict:
    url = f"https://api.fxtwitter.com/2/status/{status_id}"
    req = urllib.request.Request(
        url,
        headers={"User-Agent": "MyBot/1.0"}
Confidence
93% confidence
Finding
https://api.fxtwitter.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal