res-x
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads the 'uv' Python package manager from astral.sh, which is a well-known and trusted tool in the Python ecosystem. Documentation for installation is provided clearly in the README.
- [CREDENTIALS_UNSAFE]: The skill implements a secure credential management workflow. It instructs users to store their xAI API key in a dedicated macOS keychain rather than hardcoding it or using environment variables. The Python script retrieves the key using the 'security' CLI tool.
- [COMMAND_EXECUTION]: The script uses 'subprocess.run' to interact with the macOS keychain ('security' command). This is a legitimate use case for retrieving stored credentials and does not involve executing untrusted input.
- [DATA_EXFILTRATION]: Network operations are restricted to the official xAI API endpoint (api.x.ai). No sensitive data (like the API key or local files) is sent to unauthorized external domains.
- [INDIRECT_PROMPT_INJECTION]: The skill processes external content (tweets and articles). While it has an ingestion surface, it acts as a pass-through tool, presenting the fetched content to the user without executing instructions contained within that data. The use of structured prompts for the xAI API further mitigates risks.
Audit Metadata