ClawHub
Back to skill

Security audit

Read Tweet

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it reads public Twitter/X links through documented third-party proxy APIs, with some privacy and scoping caveats.

Install only if you are comfortable with Twitter/X URLs you ask it to read being sent to fxtwitter or vxtwitter. Use it for public tweet links, and ask for confirmation before it fetches linked articles or uses any search fallback. The publisher should remove or declare the WebSearch fallback and document third-party proxy disclosure more clearly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs use of WebSearch as a fallback even though WebSearch is not declared in allowed-tools. This creates a tool-policy mismatch that can lead an agent to violate capability boundaries or behave unpredictably when the primary path fails, which is a real safety and compliance issue even if it is not directly exploitable as code execution.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The manifest declares only Bash and Read, but later guidance instructs the agent to use WebSearch. Contradictory tool constraints weaken enforcement and may cause the agent to exceed intended permissions during execution, which is especially risky in systems that rely on the manifest as a security boundary.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs sending user-supplied Twitter/X URLs to third-party proxy services without any user-facing notice or consent flow. This exposes user-request metadata and requested content to external operators, creating privacy, logging, and trust risks that are material in a skill whose purpose is simply reading shared links.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal