x-dm-auto-chat
Audited by Snyk on Jun 13, 2026
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The skill explicitly requires the agent to obtain the 4-digit DM passcode (from the caller or via AskUserQuestion) and embed each digit verbatim into browser-act input commands (e.g., browser-act --session input ""), which forces secrets to appear in the LLM's output and creates exfiltration risk.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 1.00). This skill automates bulk and scripted X (Twitter) DMs, reads unlocked E2E DM content and browser cookies (twid, ct0), explicitly requests the 4‑digit DM passcode, and includes rate-limit/anti‑abuse avoidance tactics — enabling credential collection, mass unsolicited outreach (spam) and potential abuse of account-held secrets.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.95). Outsider free text from other users’ X DMs is ingested into the LLM context via
browser-act ... eval "$(python scripts/read-conversation.py)"(DOMmessage-text-*content from peer messages), and then the calling agent uses that returnedmessages[].textto generate the reply.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the Skill content for literal high-entropy credentials. I found a repeated literal Bearer token string assigned to AUTH in multiple scripts:
- scripts/fetch-inbox-api.py
- scripts/scan-inbox-merged.py
- scripts/search-users.py
Value (URL-encoded form in the files): 'Bearer AAAAAAAAAAAAAAAAAAAAANRILgAAAAAAnNwIzUejRCOuH5E6I8xnZz4puTs%3D1Zv7ttfk8LF81IUq16cHjhLTvJu4FA33AGWWjCpTnA'
This is a long, random-looking bearer token used in authorization headers (high entropy and a literal credential). Even if it is a public/frontend token frequently seen in apps, it meets the "actual API key" definition (literal, could be used to call API endpoints). I did not flag any placeholders, simple passwords, environment variable names, truncated/redacted strings, or other low-entropy values — none were present aside from cookie names (ct0, twid) which are referenced but not populated with literal values.
Issues (4)
Insecure credential handling detected in skill instructions.
Malicious code pattern detected in skill scripts.
Third-party content exposure detected (indirect prompt injection risk).
Secret detected in skill content (API keys, tokens, passwords).