x-dm-auto-chat

Fail

Audited by Snyk on Jun 13, 2026

Risk Level: CRITICAL
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The skill explicitly requires the agent to obtain the 4-digit DM passcode (from the caller or via AskUserQuestion) and embed each digit verbatim into browser-act input commands (e.g., browser-act --session input ""), which forces secrets to appear in the LLM's output and creates exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 1.00). This skill automates bulk and scripted X (Twitter) DMs, reads unlocked E2E DM content and browser cookies (twid, ct0), explicitly requests the 4‑digit DM passcode, and includes rate-limit/anti‑abuse avoidance tactics — enabling credential collection, mass unsolicited outreach (spam) and potential abuse of account-held secrets.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.95). Outsider free text from other users’ X DMs is ingested into the LLM context via browser-act ... eval "$(python scripts/read-conversation.py)" (DOM message-text-* content from peer messages), and then the calling agent uses that returned messages[].text to generate the reply.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I scanned the Skill content for literal high-entropy credentials. I found a repeated literal Bearer token string assigned to AUTH in multiple scripts:
  • scripts/fetch-inbox-api.py
  • scripts/scan-inbox-merged.py
  • scripts/search-users.py

Value (URL-encoded form in the files): 'Bearer AAAAAAAAAAAAAAAAAAAAANRILgAAAAAAnNwIzUejRCOuH5E6I8xnZz4puTs%3D1Zv7ttfk8LF81IUq16cHjhLTvJu4FA33AGWWjCpTnA'

This is a long, random-looking bearer token used in authorization headers (high entropy and a literal credential). Even if it is a public/frontend token frequently seen in apps, it meets the "actual API key" definition (literal, could be used to call API endpoints). I did not flag any placeholders, simple passwords, environment variable names, truncated/redacted strings, or other low-entropy values — none were present aside from cookie names (ct0, twid) which are referenced but not populated with literal values.

Issues (4)

W007
HIGH

Insecure credential handling detected in skill instructions.

E006
CRITICAL

Malicious code pattern detected in skill scripts.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 13, 2026, 04:39 AM
Issues
4
Security Audit — snyk — x-dm-auto-chat