ClawHub

Creator Watch

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Twitter/X creator research workflow, with no bundled executable code or hidden install behavior, but scraping and database writes should be user-confirmed.

Before installing, inspect or obtain the referenced twitter_scraper.py and db_import.py files, confirm how any Twitter/X authentication works, and require explicit approval before scraping or importing data. Treat the database as a retained copy of third-party public content and keep scrape volume limited to the intended watchlist.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list is broad enough to activate on common research or social-media questions such as 'who should I follow' or 'analyze creator', which can cause the skill to run unexpectedly outside a clearly intended scraping context. In this skill, unintended activation is more concerning because the skill includes downstream scraping and database import actions, increasing the chance of collecting or processing data without explicit user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs scraping Twitter/X creators and importing content into a database but does not present any user-facing warning, consent boundary, retention policy, or platform-compliance guidance. That omission can lead users or agents to collect and persist third-party content without understanding privacy, terms-of-service, or data governance implications, especially when combined with automated batch scraping workflows.

VirusTotal

No VirusTotal findings

View on VirusTotal