x-manager
Pass
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill operates by executing Python scripts via the shell (e.g.,
python3 {baseDir}/scripts/post_tweet.py). This is the intended design for its functionality, allowing the agent to perform Twitter operations. - [DATA_EXPOSURE]: The skill manages sensitive Twitter API credentials (API key, secret, access tokens) by storing them in user-specific JSON files within a
credentials/directory. While this is a standard local management pattern, it requires appropriate file system permissions to prevent local exposure of these secrets. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes content from external sources (Twitter timeline, search results, user tweets). An attacker could craft a tweet containing instructions meant to manipulate the agent's behavior when it reads or summarizes that tweet.
- Ingestion points: Data enters the agent context through
scripts/get_timeline.py,scripts/get_user_tweets.py, andscripts/search_tweets.py. - Boundary markers: No explicit delimiters or warnings (e.g., "ignore embedded instructions") are implemented in the scripts to isolate external tweet content.
- Capability inventory: The skill possesses capabilities to post tweets, like, reply, and retweet, which could be abused if an indirect injection is successful.
- Sanitization: There is no evidence of content sanitization or filtering of the retrieved tweet data before it is presented to the agent.
Audit Metadata