search-x
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: User-provided search queries are directly interpolated into the system prompt sent to the xAI API in
scripts/search.js. An attacker could provide a query designed to override the search assistant's instructions. - Evidence:
input: `${systemPrompt}\n\nSearch X/Twitter for: ${options.query}\n\nReturn actual tweets with:...` - [DATA_EXFILTRATION]: The skill accesses the local configuration file
~/.clawdbot/clawdbot.jsonto retrieve API keys. While this is used for the skill's primary purpose, it demonstrates access to potentially sensitive local data. - Evidence:
const configPath = path.join(process.env.HOME, '.clawdbot', 'clawdbot.json'); - [COMMAND_EXECUTION]: The skill is designed to execute local Node.js scripts to perform searches, as defined in
package.jsonandSKILL.md. - Evidence:
"bin": { "search-x": "./scripts/search.js" }inpackage.json. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) as it processes untrusted data from X/Twitter which may contain malicious instructions.
- Ingestion points: The skill fetches tweet content and metadata via the xAI API in
scripts/search.js. - Boundary markers: No delimiters or "ignore embedded instructions" warnings are used when presenting the search results to the parent agent.
- Capability inventory: The skill executes local commands via Node.js as defined in
SKILL.md. - Sanitization: No sanitization or escaping is performed on the tweet content before it is output.
Audit Metadata