cs

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward X/Twitter search helper that uses your xAI API key and sends search terms to xAI, with no hidden or destructive behavior found.

Install only if you are comfortable sending X/Twitter search terms to xAI and spending quota on your XAI_API_KEY. Avoid confidential queries, consider using a dedicated API key, and verify the publisher because the registry and bundled metadata are not perfectly aligned.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill clearly requires environment access to read XAI_API_KEY and network access to call the xAI API, but those capabilities are not declared as permissions. Undeclared sensitive capabilities reduce transparency and can mislead users or tooling about what the skill can access, which increases the risk of unintended secret exposure or silent external communication.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The description contains broad trigger phrases such as 'find tweets,' 'search X/Twitter,' and 'look up what people are saying,' which can match many common requests. Over-broad routing can cause the skill to be invoked unexpectedly, leading to unnecessary external API calls and transmission of user queries to a third party when a narrower or local capability might have sufficed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal