xurl

This skill documentation describes a CLI that legitimately requires Twitter/X API credentials and performs account-level actions. The requested capabilities and credentials are consistent with the stated purpose. No direct malicious behavior, obfuscated code, or credential-exfiltration patterns are present in the provided doc. The primary risk is supply-chain: the tool is distributed by a third-party publisher (xdevplatform) via Homebrew tap, npm package, and a GitHub Go module. Users should verify the publisher, inspect the source code of the xurl repository before installation, and avoid pasting credentials into untrusted contexts. Overall risk is moderate due to the need to trust the third-party binary with high-privilege API keys.