x-api
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHNO_CODECREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
- [NO_CODE] (HIGH): The core logic file 'x-post.mjs' referenced in the documentation is missing from the provided source. This prevents security validation of the script's behavior, including how it handles user input and API secrets.
- [CREDENTIALS_UNSAFE] (HIGH): The skill requires four sensitive X API credentials (API Key, Secret, Access Token, and Token Secret). Without the source code, it is impossible to confirm that these keys are only transmitted to the official Twitter API.
- [DATA_EXFILTRATION] (MEDIUM): There is an inherent risk that a missing or opaque script could exfiltrate the provided credentials or post content to an unauthorized third-party server.
- [INDIRECT_PROMPT_INJECTION] (HIGH): The skill provides an external write capability (posting to X). If an agent uses this skill to post content derived from untrusted sources (e.g., summarizing external websites), it creates a surface for attackers to force unauthorized posts or leak internal data via social media.
Recommendations
- AI detected serious security threats
Audit Metadata