x-search
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to locate and execute a local TypeScript CLI tool (
x-search.ts) using the Bash tool. While this is the core mechanism for the skill's functionality, it involves executing shell commands with arguments derived from user input and search results. - [DATA_EXFILTRATION]: The skill requires and uses a sensitive credential (
X_BEARER_TOKEN) stored in an environment variable to communicate withapi.x.com. While the communication is with the official API, the skill facilitates the retrieval of external data which is then processed within the agent's context. - [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection (Category 8). It explicitly encourages the agent to fetch tweets, follow threads, and use
web_fetchto retrieve content from external links found in tweets. - Ingestion points: Data enters the context from the X API (
search,profile,thread, andtweetsubcommands) and through external web fetches of linked resources. - Boundary markers: There are no specific instructions or delimiters provided to the agent to treat the fetched content as potentially untrusted or to ignore instructions embedded within the data.
- Capability inventory: The agent has the ability to execute shell commands (via the Bash tool) and perform network requests (
web_fetch). - Sanitization: The instructions do not specify any sanitization or validation of the content retrieved from X or linked websites before synthesis.
Audit Metadata