The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill requires the installation of the xactions package from the npm registry. This is an external dependency from an unvetted third-party author (nichxbt).
[COMMAND_EXECUTION]: The tool includes functions to programmatically modify configuration files for various applications, including Claude Desktop, Cursor, and VS Code, using the mcp-config --write command. This represents significant local system modification.
[CREDENTIALS_UNSAFE]: The skill manages highly sensitive authentication cookies (auth_token) for X/Twitter. While stored locally at ~/.xactions/config.json, the handling of these credentials by an unvetted tool poses a risk of exposure.
[PROMPT_INJECTION]: The skill facilitates the ingestion of untrusted data from X/Twitter, which can be leveraged for indirect prompt injection. 1. Ingestion points: Data is scraped from public profiles and tweets via commands like xactions profile or xactions search. 2. Boundary markers: No boundary markers or 'ignore' instructions for the scraped data are specified. 3. Capability inventory: The tool can write to the local file system and modify configuration files. 4. Sanitization: The skill documentation does not mention any sanitization or validation of the ingested content.

xactions-cli