ClawHub
Back to skill

Security audit

xclaw

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed X/Twitter scraping and archiving helper that saves visible posts and media locally, with no evidence of hidden execution or destructive behavior.

Install this only if you want the agent to scrape selected X pages and save a local archive. Avoid using it on private or sensitive timelines unless you intend to retain that content, and review or delete the generated ../../intel/x reports and media when they are no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs the agent to create local directories, download media files, and write an intelligence report to disk without any disclosure, consent gate, or retention guidance. This is dangerous because it causes persistent storage of potentially sensitive scraped content and metadata, which can surprise users, leak private browsing-derived data into local artifacts, or violate expected data-handling boundaries.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the use of curl to fetch media from external X/Twitter media hosts, but does not warn the user that additional outbound network requests and data transfer will occur beyond page viewing. This expands the operation from passive extraction to active downloading, which can expose IP/network metadata, consume bandwidth, and retrieve untrusted remote content without explicit approval.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal