timeline
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious patterns, obfuscation, or persistence mechanisms were detected in the skill's instructions or configuration files.
- [EXTERNAL_DOWNLOADS]: The skill connects to the official X API (
api.x.com) to retrieve home timelines, user tweets, and mentions. As an established and well-known service used for the skill's primary purpose, this network activity is considered legitimate. - [CREDENTIALS_UNSAFE]: The skill correctly uses an abstracted
x-oauthslot defined inagent-secrets.yamlfor authentication. No hardcoded API keys or tokens are present, and the documentation explicitly instructs not to ask users for raw credentials in the chat. - [INDIRECT_PROMPT_INJECTION]: The skill represents an ingestion surface for untrusted external data by reading tweets and mentions from X. While this creates a potential vector for indirect prompt injection, it is the intended functionality of the skill, and no exploitable capability (like code execution or file writing) is exposed through this data path.
Audit Metadata