twitter-search

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly tells users to supply API keys as command-line arguments or as the first script argument (e.g., --api-key YOUR_KEY or scripts/twitter_search.py "<api_key>" ...), which would require the agent to include secret values verbatim in generated commands or code, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests public, user-generated tweets from the Twitter Advanced Search API (https://api.twitterapi.io/twitter/tweet/advanced_search) as shown in SKILL.md and scripts/twitter_search.py, and then parses and uses tweet text/metrics to drive analyses and actionable recommendations, so untrusted third‑party content can materially influence agent decisions.