x-research
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8). It fetches external data from X/Twitter via Apify, which is then processed by an AI model in the video analysis step.
- Ingestion points:
fetch_tweets.pyretrieves raw tweet content and metadata from X. - Boundary markers: None specified in the workflow; raw data is passed to processing scripts.
- Capability inventory: The workflow executes Python scripts (
analyze_posts.py,analyze_videos.py), writes files to the local system, and uses thegoogle-genaipackage to process the untrusted content. - Sanitization: No sanitization or filtering of tweet text is mentioned before it is analyzed by the AI. An attacker could craft a tweet containing instructions that manipulate the Gemini model's analysis or the resulting report.
- [COMMAND_EXECUTION] (LOW): The skill relies on executing local Python scripts (
python3 .claude/skills/...). While standard for skill operation, this requires the user to trust that the referenced scripts (which are not provided for analysis here) do not perform malicious actions. TheVerify setupblock also executes arbitrary Python code strings at the command line. - [CREDENTIALS_UNSAFE] (LOW): The skill requires
APIFY_TOKENandGEMINI_API_KEY. While it correctly suggests using environment variables or.envfiles rather than hardcoding, the availability of these keys in the environment increases the risk of exposure if other malicious skills are present.
Recommendations
- AI detected serious security threats
Audit Metadata