baoyu-danger-x-to-markdown
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- CREDENTIALS_UNSAFE (LOW): The file
scripts/constants.tscontains a hardcoded bearer token (DEFAULT_BEARER_TOKEN). While this is the standard public bearer token used by the X web client, hardcoding authentication tokens is a recognized security concern. - COMMAND_EXECUTION (LOW): The
SKILL.mddocumentation instructs the agent to execute shell commands (cat,mkdir,npx) for consent verification and script execution, utilizing the agent's environment capabilities to modify the local file system. - EXTERNAL_DOWNLOADS (LOW): The skill uses
npxwith the-yflag to runbunandtsx, which facilitates the automatic download and execution of these packages from the npm registry if they are not already installed. - PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: The skill fetches arbitrary external text from X (Twitter) via
scripts/tweet-to-markdown.tsandscripts/thread.ts. - Boundary markers: The fetched content is delimited using Markdown headers and YAML front matter, but it lacks specific security delimiters or instructions telling the LLM to disregard any commands found within the content.
- Capability inventory: The skill has network access (to X.com) and file system access (for writing cookies and consent files).
- Sanitization: The implementation performs basic Markdown escaping for alt-text but does not sanitize the main text body for potential instructional commands.
Audit Metadata