Skills
skills/gpttang/skill-atlas/x-to-markdown/Gen Agent Trust Hub

x-to-markdown

Pass

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses node:child_process to spawn browser instances (Chrome, Edge, or Chromium) on the host machine. This is used to capture session cookies for authentication with X, which is a required step for its primary functionality.
  • [EXTERNAL_DOWNLOADS]: Fetches media content (images and videos) from well-known X domains such as pbs.twimg.com and video.twimg.com to save them locally. It also retrieves public JavaScript bundles from abs.twimg.com to resolve API Query IDs required for fetching tweets and articles.
  • [CREDENTIALS_UNSAFE]: Includes a hardcoded public bearer token in scripts/constants.ts. This token is a standard, publicly available credential used by X's web application and is necessary for unauthenticated metadata requests. Authentication cookies obtained from the user's browser are stored locally in the application data directory (cookies.json) for session persistence.
  • [DATA_EXFILTRATION]: The skill reads authentication tokens and uses them to communicate with official X API endpoints. There is no evidence of these credentials or user data being transmitted to unauthorized third-party domains.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 16, 2026, 11:09 AM
Security Audit — agent-trust-hub — x-to-markdown