xurl

The xurl skill is broadly aligned with its stated purpose as a comprehensive X API CLI. However, the install flow presents a high security risk due to the use of curl -fsSL ... | bash to install from a remote script, a classic supply-chain vector. Credential handling is described with strong protective guidance (do not reveal tokens to the agent), but the combination of an unverifiable installer and local credential storage increases the overall risk footprint in agent-controlled environments. Data flows to X API endpoints are appropriate for the tool’s purpose, but the dependency on external installers and the potential for credential exposure via host-level access render the footprint SUSPICIOUS rather than BENIGN. If the installer were restricted to verified package registries with checksums/signatures and a pinned installer, and if the agent strictly sandboxed credential access, the risk posture would be more clearly BENIGN.