x-integration
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The host process in host.ts uses spawn to execute local TypeScript scripts via npx tsx. This functionality is restricted to a hardcoded set of script files within the skill's directory, ensuring that arbitrary commands cannot be executed.
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the playwright and dotenv-cli packages. These are well-known, legitimate libraries used for browser automation and environment management, and are fetched from the official NPM registry.
- [CREDENTIALS_UNSAFE]: Browser session data, including X authentication cookies, are stored in a persistent profile directory (data/x-browser-profile/). While this involves storing sensitive session information on the host, it is a functional requirement for bypassing bot detection and is clearly documented with advice to exclude these paths from version control.
Audit Metadata