check-mutuals
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious behavior or security risks were identified. The skill is documented as a read-only interface to the Xquik API for relationship mapping.
- [DATA_EXPOSURE]: The skill follows security best practices by requiring the
XQUIK_API_KEYto be provided via an environment variable rather than being hardcoded. All API communication is directed to the vendor's official domain (xquik.com). - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it processes third-party data from X (Twitter) profiles. However, the documentation explicitly labels profile data as untrusted, which is a positive security indicator.
- Ingestion points: User bios and handles fetched from the
/x/users/and/x/followers/endpoints. - Boundary markers: None explicitly defined in the API documentation.
- Capability inventory: Read-only API access to social graph data; no file system or shell execution capabilities.
- Sanitization: Not explicitly implemented in the skill description, though the untrusted nature of the data is noted.
Audit Metadata