x-api
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Prompt Injection (LOW): The skill is susceptible to indirect prompt injection. It retrieves data from X (search results, timelines, and user activity) and outputs it to the agent without boundary markers or sanitization. This allows malicious external content (tweets) to potentially provide instructions to the agent.\n
- Ingestion points:
scripts/get_timeline.py,scripts/recent_activity.py, andscripts/search_tweets.pyfetch untrusted content from X.\n - Boundary markers: Absent. The tweet text is printed directly to the terminal for agent consumption.\n
- Capability inventory: The skill includes various write operations (
post_tweet.py,post_reply.py,post_quote.py,post_with_media.py,delete_post.py,retweet.py,like_post.py, andsend_dm.py) that could be triggered by injected instructions.\n - Sanitization: Absent.\n- Data Exfiltration (LOW): The scripts
post_with_media.pyandsend_dm.pyallow the agent to upload local files to X. This capability creates an exfiltration vector where an agent, if compromised by a prompt injection, could be instructed to upload sensitive local files (e.g., ssh keys or configuration files) as attachments.\n- Data Exfiltration (LOW): The documentation inREADME.mdandSKILL.mdrecommends storing API credentials in/root/.env. While this is an instructional recommendation rather than a code-level vulnerability,/root/is a high-privilege sensitive path, and placing secrets there increases the risk of credential exposure.
Audit Metadata