ClawHub

Skill X Post Ai Image

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it advertises, but it can publish live X/Twitter posts and runs an overridable helper script with broad environment access to credentials.

Install only if you are comfortable granting runtime access to X/Twitter OAuth tokens and a Gemini API key. Use a test or dedicated account where possible, review text and image prompts before running, avoid setting NANO_BANANA_SCRIPT to any untrusted path, and prefer isolating credentials so the image helper cannot see X posting tokens.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)

def generate_image(prompt: str, out_path: str) -> str:
    result = subprocess.run(
        ["uv", "run", NANO_BANANA_SCRIPT, "--prompt", prompt, "--filename", out_path, "--resolution", "1K"],
        capture_output=True, text=True,
        env={**os.environ, "GEMINI_API_KEY": os.environ.get("GEMINI_API_KEY", "")}
Confidence
95% confidence
Finding
result = subprocess.run( ["uv", "run", NANO_BANANA_SCRIPT, "--prompt", prompt, "--filename", out_path, "--resolution", "1K"], capture_output=True, text=True, env={**os.envi

Direct flow: os.environ.get (credential/environment) → subprocess.run (code execution)

High
Category
Data Flow
Content
)

def generate_image(prompt: str, out_path: str) -> str:
    result = subprocess.run(
        ["uv", "run", NANO_BANANA_SCRIPT, "--prompt", prompt, "--filename", out_path, "--resolution", "1K"],
        capture_output=True, text=True,
        env={**os.environ, "GEMINI_API_KEY": os.environ.get("GEMINI_API_KEY", "")}
Confidence
98% confidence
Finding
result = subprocess.run( ["uv", "run", NANO_BANANA_SCRIPT, "--prompt", prompt, "--filename", out_path, "--resolution", "1K"], capture_output=True, text=True, env={**os.envi

Tainted flow: 'NANO_BANANA_SCRIPT' from os.environ.get (line 14, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
)

def generate_image(prompt: str, out_path: str) -> str:
    result = subprocess.run(
        ["uv", "run", NANO_BANANA_SCRIPT, "--prompt", prompt, "--filename", out_path, "--resolution", "1K"],
        capture_output=True, text=True,
        env={**os.environ, "GEMINI_API_KEY": os.environ.get("GEMINI_API_KEY", "")}
Confidence
98% confidence
Finding
result = subprocess.run( ["uv", "run", NANO_BANANA_SCRIPT, "--prompt", prompt, "--filename", out_path, "--resolution", "1K"], capture_output=True, text=True, env={**os.envi

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation indicates use of environment variables holding sensitive API and OAuth tokens and execution of shell-capable tooling (`python3`, `uv`, `xurl`), but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: an agent or user may invoke the skill without realizing it can access secrets and perform authenticated external actions such as posting to X/Twitter.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill’s stated purpose is to generate an image and post to X, but it achieves this by executing an external script from a configurable path. That expands the capability beyond the minimum necessary and creates an unnecessary execution boundary where arbitrary or swapped code could run.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly advertises generating AI images and posting them to X/Twitter, but it provides no warning that the action publishes content to an external public platform. That omission can mislead users or downstream agents into triggering unintended public posting, which is especially risky because the workflow combines content generation and publication in a single step.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script posts to X immediately once invoked, without any confirmation step, dry-run mode, or explicit warning before the irreversible network action. In an agent setting, this increases the chance of unintended public posting, reputational harm, or abuse if upstream inputs are manipulated.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal