Skills
skills/aradotso/marketing-skills/he4rt-twitter-engagement-tracker/Gen Agent Trust Hub

he4rt-twitter-engagement-tracker

Warn

Audited by Gen Agent Trust Hub on Jun 12, 2026

Risk Level: MEDIUMDATA_EXFILTRATION
Full Analysis
  • [DATA_EXFILTRATION]: The skill provides scripts to intercept Twitter GraphQL API responses containing interaction data and user profiles. Evidence: interceptor.js patches window.fetch to capture and clone responses from api.x.com/graphql.
  • [DATA_EXFILTRATION]: The interception mechanism insecurely broadcasts data between execution contexts. Evidence: The window.postMessage call in interceptor.js uses a wildcard (*) as the target origin, exposing captured data to any script or iframe on the page. Mitigation: Specify the extension origin as the target.
  • [DATA_EXFILTRATION]: The skill provides implementation examples for sending captured data to an external server. Evidence: Code snippets include fetch calls to api.heartdevs.com.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 12, 2026, 07:44 PM
Security Audit — agent-trust-hub — he4rt-twitter-engagement-tracker