twitter-search

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly tells users to supply API keys as command-line arguments or as the first script argument (e.g., --api-key YOUR_KEY or scripts/twitter_search.py "<api_key>" ...), which would require the agent to include secret values verbatim in generated commands or code, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and analyzes public, user-generated tweets from the Twitter API endpoint https://api.twitterapi.io/twitter/tweet/advanced_search (see scripts/twitter_search.py and scripts/run_search.sh), so the agent consumes untrusted third‑party content as part of its workflow.