unfollow-management
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONNO_CODE
Full Analysis
- [COMMAND_EXECUTION]: The skill documentation guides users to copy and paste JavaScript scripts into the browser's developer console while logged into X.com. This technique, known as Self-XSS, grants the script full access to the user's session, cookies, and account functions, posing a severe risk of account takeover.
- [NO_CODE]: The core logic of the skill is contained in external files (e.g., 'src/unfollowEveryone.js', 'src/automation/core.js') that are not provided in the skill package. This lack of transparency prevents any security audit of the scripts being recommended for execution.
- [DATA_EXFILTRATION]: Documentation indicates that the scripts scrape and log sensitive account data, such as follower lists and usernames. In the absence of source code, it cannot be confirmed whether this data is restricted to local storage or exfiltrated to an external server.
- [METADATA_POISONING]: There is an inconsistency between the skill's reported author ('nichxbt') and the verified vendor context ('nirholas'). This mismatch in identity may indicate deceptive intent or impersonation.
Audit Metadata