X Trends (using official API)

Security checks across malware telemetry and agentic risk

Overview

This skill transparently uses a user-provided X API token to fetch trending topics and does not show hidden or unrelated behavior.

Install only if you are comfortable giving the skill access to an X API bearer token. Use a minimally scoped token where possible, keep it private, and revoke it from the X Developer Portal if you stop using the skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill clearly requires access to an environment variable containing an X API bearer token and makes outbound network requests to the X API, but it does not declare explicit permissions for those capabilities. That mismatch is a real security issue because users and policy engines may not get accurate visibility into secret access and network behavior, increasing the chance of unintended token exposure or unreviewed external communication.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal