x-twitter
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill relies on the
@xdevplatform/xdkpackage fetched from the NPM registry to perform all API operations with X.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and returns untrusted content from X (such as tweets, user biographies, and mentions) to the agent without sanitization.\n - Ingestion points: Content is ingested through search, timeline, mentions, and user lookup commands (e.g., in
src/commands/search.tsandsrc/commands/timeline.ts).\n - Boundary markers: The skill does not use protective delimiters or specific instructions to help the agent distinguish between tool output and potential embedded commands.\n
- Capability inventory: The skill possesses multiple active capabilities (posting tweets, following users, deleting content) that could be manipulated if an agent follows instructions hidden within fetched data.\n
- Sanitization: No filtering or escaping is applied to the retrieved social media content before it enters the agent's context.\n- [DATA_EXFILTRATION]: The skill reads sensitive
.envand.env.localfiles to obtain X API keys and tokens. While this is the intended method for authentication, accessing these files exposes any other secrets stored within the same environment files.
Audit Metadata