ClawHub

X (Twitter) Search by Desearch

Security checks across malware telemetry and agentic risk

Overview

This is a read-only X/Twitter search helper that uses your Desearch API key and sends searches to Desearch as part of its advertised function.

Install this only if you trust Desearch with your X/Twitter searches and identifiers. Use a dedicated, revocable API key, avoid entering secrets or regulated investigative terms as search queries, and review Desearch's privacy and retention terms if that data is sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documentation does not warn that user queries and fetched X/Twitter content are transmitted to a third-party service using the configured DESEARCH_API_KEY. Because searches may contain sensitive investigative terms, usernames, URLs, or post IDs, users can unknowingly disclose operationally sensitive data to an external provider, creating privacy, compliance, and data-handling risks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The CLI sends user-supplied search queries, usernames, post IDs, and URLs to the external desearch.ai API, but the normal execution path provides no explicit disclosure or consent prompt before transmitting that data. In a tool context, this can expose potentially sensitive investigative targets or operator queries to a third-party service, especially if users assume processing is local.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal