The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection because it ingests untrusted external content and provides powerful side-effect capabilities. • Ingestion points: scripts/read.py fetches text from the home timeline, mentions, user tweets, and searches. • Boundary markers: No delimiters or instructions are used to distinguish tweet content from agent instructions. • Capability inventory: High-impact capabilities include posting (scripts/post.py), deleting tweets, and engagement actions like following or retweeting (scripts/engage.py). • Sanitization: No filtering or validation is performed on the ingested content. An attacker could tweet instructions that command the agent to perform unauthorized actions.
DATA_EXFILTRATION (HIGH): The upload_media function in scripts/post.py accepts an arbitrary file path and uploads its content to Twitter's media servers. An attacker could use prompt injection to trick the agent into passing sensitive files (e.g., .env, ~/.ssh/id_rsa, or AWS credentials) as the --image argument, effectively leaking them.
CREDENTIALS_UNSAFE (LOW): The skill requires multiple high-privilege API tokens (API Key, Secret, Access Token, etc.). While they are managed through environment variables rather than being hardcoded, the presence of these secrets increases the impact of a successful injection attack.

interacting-with-x