x-mcp

Warn

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to download and install the @xdevplatform/xurl package globally via npm. This package is an external dependency not associated with well-known technology providers or trusted organizations.
  • [COMMAND_EXECUTION]: The instructions require executing multiple shell commands, including npm install, xurl for authentication, and mkfifo to create a named pipe for handling headless OAuth 2.0 flows. It also modifies a setup.sh file to ensure the external package is reinstalled upon environment restarts, which serves as a persistence mechanism.
  • [REMOTE_CODE_EXECUTION]: The skill utilizes python3 -c to execute a dynamically generated script that parses local configuration files (~/.xurl) to extract and rotate sensitive OAuth access tokens.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from X (tweets, mentions, news) using tools like search_posts_all and get_users_timeline.
  • Ingestion points: Data enters the context via the 24 listed MCP read tools and REST API calls.
  • Boundary markers: No specific delimiters or instructions to ignore embedded commands are present in the provided documentation for these tool outputs.
  • Capability inventory: The skill possesses significant capabilities, including package installation, local file modification, and external API communication.
  • Sanitization: There is no evidence of sanitization or validation of the retrieved content from X before it is presented to the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 30, 2026, 11:40 AM
Security Audit — agent-trust-hub — x-mcp