x-search
Fail
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/x_search.shis vulnerable to command injection through shell expansion in its heredoc construction.\n - Evidence: The script constructs a JSON payload using an unquoted heredoc (
cat <<EOF). In Bash, unquoted heredocs evaluate command substitutions such as$(...)within the block. Since the$QUERYvariable is populated directly from the user's search input without sanitization, an attacker can execute arbitrary system commands by including them in the query string.\n- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection by retrieving untrusted data from X (Twitter).\n - Ingestion points: Social media post content is fetched from the xAI API in
scripts/x_search.sh.\n - Boundary markers: The output uses standard markdown headers but lacks specific delimiters or instructions to the agent to disregard any commands contained within the fetched content.\n
- Capability inventory: The agent environment includes a Bash tool used to run the search script, providing a vector for further exploitation if the agent is manipulated.\n
- Sanitization: No sanitization or escaping of the retrieved text is performed before it is output to the agent.\n- [EXTERNAL_DOWNLOADS]: The skill makes network calls to a remote API service.\n
- Evidence: The script uses
curlto interact withapi.x.ai. This is documented as a well-known service for performing X/Twitter searches and is considered a safe source for this functionality.
Recommendations
- AI detected serious security threats
Audit Metadata