x-research
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [Data Exposure & Exfiltration] (HIGH): The skill programmatically reads a sensitive configuration file at
~/.config/env/global.envto extract theX_BEARER_TOKEN. This path is considered sensitive as it may contain other global secrets. - Evidence:
lib/api.tscontains agetToken()function that attempts to read and parse the file at${process.env.HOME}/.config/env/global.env. - [Indirect Prompt Injection] (LOW): The skill fetches and processes untrusted content from X (Twitter) and presents it to the agent for synthesis, creating a surface for indirect prompt injection.
- Ingestion points: Untrusted data enters the context through
lib/api.tsvia thesearch,thread, andprofilefunctions which fetch tweet text. - Boundary markers: The skill uses markdown blockquotes (
>) inlib/format.tsto delimit tweet content, which provides some structural separation but is not a robust security boundary. - Capability inventory: The skill can perform network requests to the X API and write files to the local filesystem (cache and drafts). It also encourages the use of
web_fetchto crawl links found in tweets. - Sanitization: The skill performs basic cleanup of
t.colinks inlib/format.tsbut does not sanitize tweet text for malicious instructions or hidden control characters. - [Data Exposure & Exfiltration] (LOW): The skill performs network operations to
api.x.com. While this is the intended service, it is not a predefined trusted domain in the security scope, though the traffic appears limited to API interactions.
Recommendations
- AI detected serious security threats
Audit Metadata