TwitterScore

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward TwitterScore API helper skill with no executable payload, but users should know queried account names and IDs go to TwitterScore.io.

Install/use this only if you trust TwitterScore.io and the local twitterscore CLI you will run. Use a dedicated revocable API key, avoid passing secrets directly on shared command lines, and do not submit confidential target lists unless you are comfortable sending those account identifiers to the service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs users to query Twitter accounts through the TwitterScore.io API but does not clearly warn that requested usernames, IDs, and related lookup targets are transmitted to an external third-party service. This can create unintended data disclosure, especially when users analyze sensitive target lists, competitor accounts, client-related handles, or internal research subjects under the assumption the tool is only local CLI functionality.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal