X Search (Local)

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward X/Twitter search helper that uses the user's xAI API key and does not show hidden or unrelated behavior.

Install this only if you intend to let the agent send X/Twitter search queries, filters, and related request metadata to xAI using your API key. Avoid searching for secrets, sensitive personal data, or regulated information, and store XAI_API_KEY carefully.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The description contains broad trigger phrases like general requests to find what people are saying on X, which can overlap with many ordinary user intents. This can cause over-invocation of the skill and unintended transmission of user queries to the external xAI/X service even when the user did not explicitly ask to use that provider.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The setup and usage instruct users to provide an API key and send search queries to an external API, but there is no explicit warning that prompts and related search terms will leave the local environment. Users may unknowingly submit sensitive or regulated information to a third-party service, creating privacy, compliance, and data-handling risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal