post-to-x

SUSPICIOUS. The core posting capability matches the skill’s stated purpose, but it uses browser automation specifically framed as anti-bot bypass and recommends a curl|bash installer path for Bun. There is no clear credential-harvesting or third-party exfiltration behavior, yet the combination of public-posting capability, anti-detection automation, and supply-chain exposure makes the skill medium risk rather than benign.