ClawHub

X CDP Automation

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it can publish from a real logged-in X account and sets up a persistent CDP-controlled browser session, so users should review it carefully before installing.

Install only if you are comfortable letting an agent operate a real X account through your browser. Use a dedicated Chromium profile and preferably a dedicated X account, keep the debug port local, review the exact text and target URL before every live post, use --dry-run first, manually pin/install dependencies if possible, and close the CDP-enabled browser when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger is very broad and can match generic requests about X/Twitter, causing the skill to activate in contexts the user may not intend, including actions on real logged-in accounts. In this skill, activation leads to browser automation against a persistent authenticated session, so ambiguous triggering materially increases the chance of unintended posting or account actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup instructs users to launch Chromium with remote debugging enabled and a persistent logged-in profile, but it does not prominently warn that CDP access can grant powerful control over the browser session, including access to authenticated X activity and potentially other data in that profile. If the debugging port is exposed beyond localhost, or if the local environment is compromised, an attacker could drive the browser, read session state, and act as the user.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script directly clicks the Publish button and posts an article unless --dry-run is set, with no built-in confirmation gate, preview acknowledgment, or explicit user approval immediately before publication. In an agent/automation context tied to a real logged-in browser session, malformed prompts, accidental invocation, or prompt injection in upstream tooling could cause unintended public posting from the user's X account.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script performs an irreversible public action by sending a reply immediately after composing it, without any explicit user confirmation step unless --dry-run is manually chosen. In an agent setting, this increases the risk of accidental, unwanted, or prompt-manipulated posting from a real logged-in account, which can cause reputational harm or unintended disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup script automatically runs `npm init` and `npm install puppeteer-core` in `/tmp` without asking for user confirmation or pinning a specific version. This performs network-backed code installation in a world-writable location, increasing supply-chain and local tampering risk, especially because later execution may resolve modules from that path.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal