twitter-search

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly tells users to supply API keys as command-line arguments or as the first script argument (e.g., --api-key YOUR_KEY or scripts/twitter_search.py "<api_key>" ...), which would require the agent to include secret values verbatim in generated commands or code, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and analyzes user-generated tweets from the public Twitter/X API (see "Prerequisites" and "Fetch Data" / scripts/twitter_search.py in SKILL.md), and the workflow requires the agent to read that untrusted third‑party content and base analysis and actionable recommendations on it, enabling indirect prompt-injection risks.