twitter-poster

The skill's purpose and capabilities are reasonable for automated Twitter posting, but the document contains critical security issues: multiple plaintext OAuth credentials and bearer tokens and the inclusion of arbitrary shell access (Bash). These together create a high risk of credential theft, account takeover, and local secrets exfiltration. There is no direct evidence of obfuscated or actively malicious executable code in the file itself, but the combination of exposed credentials and excessive tooling is dangerous and should be treated as a supply-chain security incident until tokens are rotated and the spec is sanitized. Recommended immediate actions: rotate all exposed tokens, remove secrets from the repository, require secure secret injection (env vars/secrets manager), and remove or limit Bash access. Implementers should audit runtime behavior if these tokens were used.