account-backup
Warn
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: MEDIUMNO_CODECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [NO_CODE]: The functional logic of the skill is stored in external files (
src/backupAccount.js,src/downloadAccountData.js, andapi/routes/portability.js) that are not included in the skill package. This lack of transparency makes it impossible to verify the safety of the scripts before they are executed. - [COMMAND_EXECUTION]: The skill instructs users to open browser Developer Tools and paste scripts directly into the console while authenticated on
x.com. This is a high-risk instruction that bypasses standard security protections and can lead to account takeover if the scripts are designed to steal session tokens or perform unauthorized actions. - [DATA_EXFILTRATION]: While the skill claims to facilitate local backups, it references an API route (
/api/portability/export) that suggests data could be transmitted to an external server. Without the source code, there is no way to confirm if sensitive account data like bookmarks and private followers are being exfiltrated to the author's infrastructure.
Audit Metadata