x-api
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes Python logic through shell heredocs (
python3 <<'PY') to perform API authentication and requests. It also calls a local CLI tool (secrets) to lease and revoke credentials. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by fetching external content from X (mentions and search results) that is processed by the agent. This could allow an attacker to influence agent behavior through malicious tweet content.
- Ingestion points: Reads data from
https://api.twitter.com/2/users/{id}/mentionsandhttps://api.twitter.com/2/tweets/search/recentas seen inSKILL.md. - Boundary markers: None. There are no instructions or delimiters provided to the agent to distinguish between system instructions and data fetched from the API.
- Capability inventory: The skill includes Python scripts in
SKILL.mdcapable of posting tweets (POST /2/tweets), following users (POST /2/users/{id}/following), and deleting tweets (DELETE /2/tweets/{id}). - Sanitization: None. The API responses are directly printed to the stdout and ingested into the agent context without escaping or validation.
- [DATA_EXFILTRATION]: The skill handles sensitive API credentials by exporting them to environment variables (
export CK=...). While the skill provides instructions to revoke these leases, temporary exposure in the environment or process logs is a potential risk.
Audit Metadata