Skills
skills/rkreddyp/investrecipes/twitter-poster/Snyk

twitter-poster

Fail

Audited by Snyk on Feb 15, 2026

Risk Level: CRITICAL
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt embeds real-looking API keys, access tokens, and client secrets as inline examples for authentication (and shows how to use them), which encourages the LLM to include those secret values verbatim in generated code/requests and thus creates an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 1.00). The skill contains hard-coded Twitter API credentials and client secrets (sensitive tokens) which present a high-risk credential exposure enabling account takeover or unauthorized use; no explicit backdoor/execution or obfuscated payloads were found in the content.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). The excerpt contains multiple literal, high-entropy credentials (not placeholders or obvious examples). These appear to be real Twitter API credentials that would grant access if valid:
  • API Key (Consumer Key): KiEaJHzFUWE7BLPMrMeABVx8z — looks random and is a literal key, not a placeholder.
  • API Secret (Consumer Secret): GSvXTcUGpA37xZ5pKOu2aMitplfM0icbrlnVnwbZNVIJVaNQbT — high-entropy secret.
  • Access Token: 1088426905634779136-fKvck5gh92Z5nrirFvkYlfM3ftyZ43 — matches Twitter token format and is literal.
  • Access Token Secret: Rsf3g4rpADKm6U42QbIxjI82kAt2kUVbDFBrCS1ELTmU8 — high-entropy secret.
  • Bearer Token: AAAAAAAAAAAAAAAAAAAAALL3wQEAAAAAEU16sJsJT9zl7D0w6iGMky%2FXn5I%3D3bCPWBSMOyKAlF7LfbRTCbIlt8goxzq2lZlEC6jfcdZNzPU7Jv — long, encoded bearer token.
  • OAUTH2_CLIENT_SECRET_V2 and OAUTH2_CLIENT_SECRET: two distinct high-entropy client secrets (nsWvS3dCCitBpMihAMlr2nMJBy7J-7Xw8tx7Zq_xf2WWiz8r0_ and nsWsS3dCCtiBpMiAhIi2nMJbYJ7-7XwBxfZq_xf2WWiz8r0_) — both are literal secrets.

These are not placeholders (they are specific, random-looking values) and meet the “high-entropy, literal value” definition. No other values in the document meet the criteria for flagging (other strings are descriptive, low-entropy examples, or environment variable names).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 15, 2026, 09:32 PM