x-post

The skill's stated purpose (posting to X from the command line) is coherent with the requested capabilities (OAuth credentials, media uploads, chunked video). Primary risks are: plaintext storage of high-privilege OAuth credentials at a fixed local path; use of an unverified third-party dependency ('xdk'); and lack of visibility into the actual x-post.py implementation (so we cannot confirm the enforcement of confirmation prompts or absence of secret exfiltration). No explicit download-execute patterns, third-party intermediary endpoints, or obvious backdoors are described, so there is no strong evidence of active malicious behavior in the provided description. Recommend: inspect x-post.py source before use, verify the origin and integrity of the 'xdk' package (or prefer well-known official SDKs), secure the credentials file (restrict filesystem permissions, consider encrypted storage), and confirm the script does not log or send tokens to any non-official endpoints.