x2c-socialposter

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt explicitly instructs the agent to ask the user to paste their X2C API key and "save it for you," meaning the LLM would receive and store the secret verbatim, creating an exfiltration risk even though commands use an env var.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The script routes all API calls and file uploads to a hard-coded, non-official Supabase endpoint (not the advertised x2creel.ai API) and includes the X2C_API_KEY in request headers while providing automatic upload of arbitrary local files (including large files via presigned URLs), which enables credential capture and silent exfiltration of sensitive files — a high-risk backdoor/exfiltration pattern even though there is no obfuscated code or remote-exec logic.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill calls X2C Open API endpoints (e.g., social/posts, social/comments, social/status) at the BASE_URL and accepts arbitrary media URLs (http/https) so it fetches user-generated social-media/posts/comments from public third-party sources and then reads and acts on them (reply/delete/publish) as part of its required workflow in SKILL.md and scripts/x2c_social.py, exposing the agent to untrusted content that could carry indirect prompt-injection payloads.