ClawHub

Wip X

Security checks across malware telemetry and agentic risk

Overview

This X integration is mostly transparent about its purpose, but it gives an agent live account-changing powers and arbitrary local-file upload without enough built-in safeguards.

Install only if you intend to let an agent operate a real X account. Prefer read-only bearer credentials unless you need posting or deletion, keep OAuth tokens least-privileged, require human approval before post/delete/upload actions, and only pass file paths for media you have explicitly reviewed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The file exposes a destructive capability via `delete_tweet`, while the supplied finding indicates this capability is omitted from the manifest. Hidden write/delete actions are dangerous because an orchestrator, reviewer, or user may believe the skill is lower risk than it really is, leading to accidental invocation of destructive operations without appropriate scrutiny or consent.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The top-level description says the skill can read posts, search, post, and upload media, but omits that it can also delete tweets. Hiding or failing to disclose destructive capability undermines informed consent and can cause an agent or user to invoke the skill without appreciating that account-destructive actions are available.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README prominently documents destructive and account-modifying operations such as posting, deleting tweets, bookmarking, and media upload, but does not include an explicit warning that these actions affect a real X account and may be irreversible or operationally sensitive. In an agent-skill context, this increases the risk that a user or autonomous agent invokes write actions unintentionally during exploration, testing, or integration.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill exposes account-affecting actions such as posting, deleting, and bookmarking content, but it does not clearly warn users that these actions can modify a live X account and that deletion or public posting may be irreversible in practice. In a tool that mixes read and write capabilities, the lack of an explicit safety warning increases the risk of accidental destructive or reputation-impacting actions by an agent or user.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
`upload_media` reads arbitrary local files from `file_path` and sends their contents to the X API as base64. In an agent setting, this creates a clear exfiltration path from the local filesystem to an external service, especially because there is no visible restriction on allowed directories, file types, or any confirmation step before upload.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
`delete_tweet` performs an irreversible account action with no confirmation, preview, or safety interlock in this file. In an agent workflow, a malformed prompt, tool misuse, or prompt injection elsewhere could cause unintended deletion of posts, making the lack of a confirmation barrier materially dangerous.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The server exposes x_delete_tweet directly with no visible confirmation, policy gate, or secondary approval before executing a destructive action. In an agent setting, this increases the chance of accidental or prompt-induced deletion of user content, especially because the tool is callable through generic tool dispatch.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
x_upload_media accepts an arbitrary local file path and uploads the referenced file to X, but the server code shows no execution-time disclosure, path restrictions, or user confirmation. In an agent environment, this can lead to unintentional exfiltration of sensitive local files if the model is induced to supply a path or infer one from context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal