twitter-skill
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to its interaction with untrusted external data.
- Ingestion points: External content enters the agent's context through the timeline, mentions, search, and user-tweets commands in twitter_skill.py, which fetch data directly from the Twitter/X API.
- Boundary markers: The skill instructions in SKILL.md include a mandatory confirmation rule for state-changing actions, but no programmatic delimiters or 'ignore' instructions are applied to the data output of the script.
- Capability inventory: The skill possesses significant capabilities, including the ability to post, reply, like, follow, and delete content via subprocess calls to the twitter_skill.py script.
- Sanitization: The script outputs raw JSON responses from the Twitter API, including user-generated tweet text, without any filtering or validation of the content for malicious instructions.
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute the twitter_skill.py script for all operations, which is the intended design for this skill.
- [EXTERNAL_DOWNLOADS]: The script uses the requests library to communicate with api.twitter.com and twitter.com. These are well-known technology services and the communication is documented neutrally as standard API interaction.
Audit Metadata