baoyu-post-to-x

The skill's stated purpose (posting to X via browser automation) is aligned with its capabilities. However, the footprint includes significant risk vectors: a download-execute step for bun via curl|bash from an external domain, browser-based credential/session exposure, and clipboard/paste automation that can leak data. While the tool is designed for user-involved posting (review/publish), the combination of real Chrome CDP automation and environment-credential handling elevates risk. Overall, the skill is SUSPICIOUS due to supply-chain download-execute patterns and potential credential/clipboard exposure, with notable but not definitive data-stealing signals. Recommend restricting execution to verified environments, avoiding uncoupled curl|bash installs, and auditing clipboard/paste flows and browser data handling.