ClawHub

Multi-Source Feed

Security checks across malware telemetry and agentic risk

Overview

This is a plausible daily-brief skill, but it stores a reusable X/Twitter login session and sets up recurring scraping with weak safety controls.

Install only if you are comfortable giving this tool a reusable logged-in X/Twitter browser session and letting it run recurring local scraping jobs. Treat .env and x_session.json as secrets, restrict access to the project directory, exclude it from backups/version control, review the cron entries before enabling them, and delete or revoke the session when you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill performs shell execution, network access, file reads/writes, and environment-variable handling but does not declare those capabilities. This weakens user consent and platform policy enforcement because the skill can clone code, install packages, write secrets, and schedule jobs without an explicit permission boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose suggests a simple feed setup flow, but the documented behavior includes extracting authenticated X session cookies, scraping multiple services, persisting state, and provisioning autonomous delivery jobs. This mismatch is dangerous because users may consent to a benign-seeming setup while the skill performs materially more invasive collection and persistence actions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs the agent to connect to a user-opened Chrome instance over the DevTools protocol and extract authenticated X/Twitter cookies into a local file. Cookie extraction from a live browser session is highly sensitive credential handling and exceeds what users would reasonably expect from setting up a daily tech brief.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
Beyond feed setup, the skill provisions scheduled scraping and memo delivery jobs that continue operating autonomously. Persistent automation is security-relevant because it creates ongoing data collection, background execution, and external transmission behavior not fully conveyed by the short description.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This code connects to an already authenticated local Chrome instance and exports its full storage state to disk, effectively extracting session cookies and login state. That capability is unrelated to configuring a daily tech brief, so in this skill context it strongly suggests credential/session harvesting rather than legitimate functionality.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Extracting browser session data from a user's live Chrome profile gives the skill access to authenticated accounts without the user's explicit re-authentication or informed consent. In the context of a news/brief setup tool, this is unjustified and dangerous because stolen session state can be reused to impersonate the user on third-party services.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file defines a real-time X/Twitter monitoring and push-notification workflow, which materially expands the skill beyond its declared purpose of setting up and managing a daily tech brief. This scope drift is dangerous because it introduces unsolicited monitoring and outbound alerting behavior that a user or reviewer would not reasonably expect from the manifest, weakening informed consent and increasing the chance of hidden data collection or surveillance-like functionality.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The instructions execute an external shell script (`bash push/run.sh`) to scrape data, which is a higher-risk capability than the manifest suggests and can perform arbitrary local commands, network access, or data exfiltration. Because this behavior is hidden behind a setup-oriented skill description, it creates an execution surface that users and auditors may not anticipate.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation materially differs from the advertised skill purpose. Instead of configuring a customizable multi-source tech brief, it logs into an authenticated X session and scrapes the user's home feed, which creates undisclosed collection of personal feed content and expands access beyond stated functionality. In an agent skill, this mismatch is dangerous because users may grant trust and permissions based on the declared purpose while the code performs unrelated surveillance-like behavior.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code launches a non-headless browser with anti-detection measures, overrides navigator.webdriver, and loads a persisted authenticated session from x_session.json. That combination indicates deliberate stealth access to a logged-in account, which bypasses normal transparency and enables scraping of personalized account data under the user's identity. Within the stated skill context, this is especially suspicious because such stealth browser automation is unnecessary for setting up a daily brief.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The implementation materially exceeds the stated skill purpose. Instead of merely configuring a customizable daily brief, it opens an authenticated X session via a persisted session file and scrapes the user's Home, Following, and Trending feeds, collecting personal feed content and metadata without any visible consent or scope limitation. In an agent skill context, this mismatch is dangerous because users and reviewers may authorize a benign-seeming setup flow while the code performs broad account-backed data collection.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill launches a real Chrome browser with anti-detection settings and injects a script to hide navigator.webdriver, which is classic stealth automation behavior. That is not necessary for ordinary setup of a daily tech brief and indicates an attempt to evade platform detection or policy controls while scraping authenticated content. Evasion mechanisms increase the likelihood of unauthorized automation and make the skill substantially riskier.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The source automatically launches an external scraper process that uses a real browser, which is a materially broader capability than merely configuring or reading a feed for a daily brief. That creates hidden execution and network activity, potentially exposing session data, contacting third-party services, and performing actions the user did not clearly authorize in the skill's stated purpose.

Intent-Code Divergence

Low
Confidence
75% confidence
Finding
The module documentation states that the adapter runs the scraper and reads its output, but the implementation automatically triggers active scraping during fetch rather than behaving like a passive reader. This mismatch can mislead reviewers and users about when code execution and networked browser activity occur, undermining informed consent and safe review.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The README encourages a broad natural-language trigger ("help me set up multi-source-feed") that could overlap with ordinary assistant requests and cause unintended installation or configuration actions in an agent environment. In a skill ecosystem where agents may map user utterances to privileged setup flows, ambiguous triggers increase the chance of accidental execution.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to save an X/Twitter browser session for later scraping but does not warn that session cookies are sensitive credentials that can enable account access if copied or exposed. Because the skill persists authenticated session state for automated reuse, compromise of the saved session file could lead to account hijacking or privacy loss.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The README directs the system to send generated briefs via messaging channels and persist them locally without warning that scraped content, user preferences, and summaries may contain sensitive information. This creates a data disclosure and retention risk, especially when messages are sent to third-party platforms and memo files accumulate locally over time.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill tells the agent to write API keys into a local .env file without warning about persistence, filesystem exposure, backup leakage, or file permissions. Storing secrets this way may be acceptable in development, but doing so automatically without clear disclosure increases the risk of accidental credential exposure.

Missing User Warnings

High
Confidence
97% confidence
Finding
The instructions describe saving authenticated X/Twitter session cookies to x_session.json but do not clearly warn the user that this is equivalent to storing reusable login material locally. If that file is accessed by other processes or exfiltrated, an attacker may hijack the user's account session without needing the password.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Writing storage state to x_session.json persists sensitive authentication material on disk, where it may be copied, exfiltrated, or reused by other local processes. Even aside from the unjustified collection, the code provides no safeguards such as encryption, restricted permissions, secure deletion, or user warning about credential persistence.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The markdown directly instructs the agent to run a scraper shell script and access external services/data without warning the user or obtaining approval. This is dangerous because it normalizes hidden code execution and network activity from content instructions, which can be abused to trigger unauthorized scraping, unexpected costs, privacy issues, or execution of attacker-controlled logic.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script captures authenticated feed content and saves posts, metadata, links, and engagement information to local JSON files such as feed_raw.json and feed_raw_partial.json without any notice, retention controls, or sensitivity labeling. This creates a privacy and data-handling risk because personal browsing/feed data may persist on disk, be accessed by other components, or be exfiltrated later. The skill context increases risk because users expect a setup/configuration action, not silent archival of account-derived content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code loads a persisted authenticated session from x_session.json, allowing access to the user's X account context without any in-code notice, consent prompt, or verification that the user intended account-backed scraping. Persisted session reuse can silently broaden access and, if the file is mishandled, expose the account to unauthorized use. In this skill context, the lack of disclosure is especially concerning because the manifest suggests simple feed setup rather than account session consumption.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill writes scraped posts and trending data to local JSON files, including partial saves, without any explicit notice that user feed content and metadata will be persisted on disk. Local persistence increases the risk of unintended retention, secondary access by other processes or users, and accidental disclosure of sensitive browsing-derived content. Because the skill's stated purpose does not clearly imply archival of personal feed data, this behavior is more dangerous in context.

Missing User Warnings

Medium
Confidence
71% confidence
Finding
The code transmits user-configured query data and an API credential to a third-party service without any visible consent, notice, or control in the implementation. In a feed-curation skill this is functionally necessary, but it still creates a privacy and data-governance risk if users are unaware that their search terms and configuration are sent off-platform.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal