x-post
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFECREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill is designed to read sensitive API credentials (API key, secret, and access tokens) from a plain-text JSON file located at
~/.claude/skills/x-post/x.key. While this is common for CLI tools, it exposes credentials to any process that can read the user's home directory. - [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
xdkPython package. This is an unverifiable dependency as the primary package with this name on public registries is unrelated to the X (Twitter) API, which may lead to installation failures or unexpected behavior. - [DATA_EXFILTRATION]: The skill transmits user-provided text and local media files to external endpoints at
upload.twitter.comandapi.x.com. This is the core purpose of the skill and is documented for transparency. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection where malicious instructions in processed data could attempt to trigger unauthorized posts.
- Ingestion points: The
textargument inx-post.py(passed via Bash) accepts arbitrary string data that the agent may pull from external sources. - Boundary markers: The
SKILL.mdfile contains a 'Rules' section that mitigates this risk by explicitly instructing the agent to show the final text to the user and obtain confirmation before posting. - Capability inventory: The script has the capability to upload media and create posts via the X API in
x-post.py. - Sanitization: No programmatic sanitization or filtering of the input text is performed in the script; safety relies entirely on the agent following the confirmation protocol.
Audit Metadata