twitter-scraping
Fail
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructs users to manually extract the 'auth_token' cookie from their browser's Developer Tools. This is a live session token that provides complete authentication for the X/Twitter account, and hardcoding or providing it to an agent exposes the account to complete compromise.
- [EXTERNAL_DOWNLOADS]: The skill relies on an external NPM package 'xactions'. This package is not from a well-known or trusted organization, making its safety and supply chain integrity difficult to verify.
- [DATA_EXFILTRATION]: The skill explicitly includes tools for scraping highly sensitive and private user data, including Direct Messages (DMs), notifications, and bookmarks. When used in conjunction with the required session token, this creates a significant risk of exfiltrating private communication and activity history.
- [COMMAND_EXECUTION]: The skill provides a large collection of scripts intended to be pasted into the browser's JavaScript console ('Self-XSS'). Executing untrusted code in a privileged context like a logged-in session on x.com allows the scripts to bypass security controls and perform any action on behalf of the user.
Recommendations
- AI detected serious security threats
Audit Metadata