alphai-twitter

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes examples that embed sensitive tokens (Cookie: dex_cookie=, listenKey=<listen_key>) in HTTP headers/URL parameters and instructs generating complete calling code that performs dex_cookie authentication and listenKey renewal, which requires inserting secret token values into requests and thus risks verbatim secret handling/exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests public, user-generated tweets from third-party sources via HTTP endpoints (e.g., /smart-web-gateway/tracker/x/monitorList, /tracker/x/myList, /smart-web-gateway/x/search, /smart-web-gateway/x/tweets) and a WebSocket stream (wss://ws.alph.ai/stream/ws), and those tweets are parsed and used to drive analysis, extract contract addresses, trigger alerts and follow-up actions—so untrusted content can materially influence agent decisions.