x-twitter-scraper

Pass

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is designed to process external, untrusted content from X (including tweets, bios, and direct messages), which constitutes a surface for indirect prompt injection.
  • Ingestion points: Data enters the context through multiple API endpoints such as GET /x/tweets/{id}, GET /x/users/{id}, and GET /x/dm/{userId}/history.
  • Boundary markers: The skill explicitly instructs the agent to wrap all retrieved X content in <XQUIK_UNTRUSTED_X_CONTENT> tags to distinguish it from instructional text.
  • Capability inventory: The skill possesses the capability to perform network requests to xquik.com and execute state-changing actions (posting tweets, liking, sending DMs) via the API.
  • Sanitization: The instructions mandate that the agent ignore any commands found within the untrusted content blocks and requires explicit user approval before performing any write operations or credit-consuming actions.
  • [SAFE]: The skill does not execute local shell commands, modify the filesystem, or attempt to persist across sessions on the host machine. All operations are conducted via standard REST API calls over HTTPS to a designated service host.
  • [CREDENTIALS_UNSAFE]: The skill uses an environment variable (XQUIK_API_KEY) for authentication with the Xquik service. It includes strict prohibitions against requesting or accepting actual X (Twitter) login credentials, such as passwords or 2FA codes, directing users to a secure dashboard for account management instead.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 23, 2026, 02:00 AM
Security Audit — agent-trust-hub — x-twitter-scraper