x-cli
Fail
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: CRITICALEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Automated security scans identified a package URL from the official NPM registry (
https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.7.tgz). This is a standard dependency for the 'esbuild' build tool and is considered a safe resource from a well-known service. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it retrieves untrusted data from the X platform (tweets, user profiles, mentions) and processes it within the agent's context.
- Ingestion points: Data enters the agent context through API responses in
src/lib/api.ts(e.g.,getTweet,searchTweets,getTimeline). - Boundary markers: There are no explicit instructions or delimiters in the skill scripts to warn the agent about potential instructions embedded in tweet content.
- Capability inventory: The skill allows the agent to perform write operations like
tweet post,tweet delete, andlikeif the user has explicitly enabledread-writemode. - Sanitization: No specific sanitization or filtering is performed on retrieved social media content before it is displayed to the agent.
- [SAFE]: The skill implements several security best practices:
- Credential Isolation: The
auth exportcommand, which reveals sensitive OAuth tokens, is programmatically disabled when the tool is running as an MCP server (src/index.ts). This prevents the agent from exfiltrating its own authentication state. - File System Security: Configuration and token files are created with restricted 'owner-only' permissions (mode 0o600) to prevent unauthorized local access (
src/lib/private-files.ts). - Least Privilege: The tool defaults to
read-onlymode and requires explicit user action to enable write capabilities.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata