twitter-automation

Overall, the skill presents a coherent purpose-capability alignment for Twitter/X automation via inference.sh with concrete app capabilities and workflow examples. However, the install workflow relies on a curl | sh pattern to fetch an unverified-binary-like CLI from remote URLs, which introduces a non-trivial supply-chain risk. This download-execute pattern, even when checksum-verified, is a critical concern and elevates security risk. The data flow for posting to X APIs is expected and proportionate to the described task, but explicit credential handling, secret management, and least-privilege controls are not documented and should be clarified before deployment. Given the combination of a download-execute install path and implicit credential usage without explicit hardening details, this skill should be flagged as SUSPICIOUS with potential to be BENIGN if the distribution channel is replaced with a verifiable, signed binary or official registry, and credentials are managed securely.