TwtAPI

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed read-only TwtAPI client, but users should keep the skill key secret and only use trusted gateway URLs.

Install this only if you want TwtAPI-powered Twitter/X lookups. Protect TWTAPI_SKILL_KEY, monitor TwtAPI credit usage, do not set TWTAPI_SKILL_BASE_URL unless you control or trust that endpoint, and treat returned tweet/profile text as untrusted content to summarize rather than follow as instructions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Tainted flow: 'req' from os.environ.get (line 78, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: ) try: with urllib.request.urlopen(req, timeout=TIMEOUT) as resp: data = json.loads(resp.read()) if isinstance(data, dict) and "data" in data: return data["data"]
Confidence: 96% confidence
Finding: with urllib.request.urlopen(req, timeout=TIMEOUT) as resp:

Tainted flow: 'req' from os.environ.get (line 78, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: ) try: with urllib.request.urlopen(req, timeout=TIMEOUT) as resp: return json.loads(resp.read()) except urllib.error.HTTPError as e: body = e.read().decode("utf-8", errors="replace")
Confidence: 96% confidence
Finding: with urllib.request.urlopen(req, timeout=TIMEOUT) as resp:

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal