x-api

SUSPICIOUS. The stated purpose is coherent with X posting/reading, and the data flow is meant for official X endpoints, but the skill’s entire trust model rests on an undocumented local script that receives all X credentials. Because that executable is unverifiable and handles secrets, the skill carries high security risk even without direct evidence of malicious exfiltration.