storyclaw-x-manager
Warn
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: Path traversal vulnerability in credential loading mechanism.\n
- Evidence: In all scripts (e.g., scripts/post_tweet.py line 16), the user_id provided as a command-line argument is directly used to construct a file path: os.path.join(SKILL_DIR, 'credentials', f'{user_id}.json').\n
- Impact: An attacker could provide a malicious user_id (e.g., ../state/admin) to read arbitrary JSON files accessible to the process, including other users' credentials or internal state files.\n- [PROMPT_INJECTION]: Significant indirect prompt injection surface due to processing untrusted external data.\n
- Ingestion points: The skill fetches external data from Twitter via get_timeline.py, get_user_tweets.py, and search_tweets.py.\n
- Boundary markers: No delimiters or instructions are used to distinguish between system commands and fetched tweet content.\n
- Capability inventory: The skill possesses high-privilege write capabilities including post_tweet.py, reply_tweet.py, like_tweet.py, and retweet.py.\n
- Sanitization: No validation or sanitization of tweet content is performed before returning it to the agent.\n
- Impact: Attackers can embed malicious instructions in tweets that the agent may interpret and execute, leading to unauthorized account actions.
Audit Metadata