x-twitter-scraper

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes examples and config templates that require inserting the API key verbatim (x-api-key in request headers and .mcp.json), which would cause an agent to request or emit secret values directly into generated code/configs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md shows it fetches and ingests user-generated X/Twitter content (e.g., via endpoints like GET /x/tweets, /extractions and the "Extraction Workflow" and "Giveaway Draws" sections) and then uses those results to drive actions (e.g., draws, exports, monitoring), so untrusted third-party content could indirectly inject instructions.