x-publish

[Skill Scanner] Instruction to copy/paste content into terminal detected All findings: [CRITICAL] command_injection: Instruction to copy/paste content into terminal detected (CI012) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] Overall the skill appears coherent with its stated purpose and does not contain direct signs of remote credential harvesting, downloads, or obfuscated malicious code. Primary risks are local: executing helper scripts of unknown provenance (scripts/copy_to_clipboard.py and optional ~/.claude/.../x_state.py) and operating within a logged-in browser session which grants the skill access to the user's X account UI. Recommendations: inspect the helper scripts before running, ensure they come from a trusted source; confirm the browser session/account is the intended one before running automation; be aware that clipboard content can be observed by other local processes. No confirmed malware found, but moderate caution advised due to local execution and account access implications. LLM verification: Functionally consistent with its stated purpose (automating saving drafts to X). No explicit backdoor, network exfiltration to attacker-controlled domains, or obfuscated payloads found in the provided content. Main risks: unpinned pip installs (supply-chain risk), use of system clipboard and temporary files (local data exposure), and execution of optional local hook scripts under ~/.claude which could run arbitrary code or forward data. Recommend pinning dependencies, avoid writing sensitive con