x-mcp
Warn
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to download and install the
@xdevplatform/xurlpackage globally via npm. This package is an external dependency not associated with well-known technology providers or trusted organizations. - [COMMAND_EXECUTION]: The instructions require executing multiple shell commands, including
npm install,xurlfor authentication, andmkfifoto create a named pipe for handling headless OAuth 2.0 flows. It also modifies asetup.shfile to ensure the external package is reinstalled upon environment restarts, which serves as a persistence mechanism. - [REMOTE_CODE_EXECUTION]: The skill utilizes
python3 -cto execute a dynamically generated script that parses local configuration files (~/.xurl) to extract and rotate sensitive OAuth access tokens. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from X (tweets, mentions, news) using tools like
search_posts_allandget_users_timeline. - Ingestion points: Data enters the context via the 24 listed MCP read tools and REST API calls.
- Boundary markers: No specific delimiters or instructions to ignore embedded commands are present in the provided documentation for these tool outputs.
- Capability inventory: The skill possesses significant capabilities, including package installation, local file modification, and external API communication.
- Sanitization: There is no evidence of sanitization or validation of the retrieved content from X before it is presented to the agent.
Audit Metadata