xitter

SUSPICIOUS: the skill’s purpose and credential scope are mostly aligned with an X/Twitter integration, and data flow appears aimed at official X API usage. Risk comes from installing an unpinned third-party CLI directly from GitHub, storing full write-capable credentials in a local .env file, and enabling autonomous public posting actions. This is not confirmed malware, but it is a medium-risk skill with notable supply-chain and account-action concerns.