x-manager

Pass

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill operates by executing Python scripts via the shell (e.g., python3 {baseDir}/scripts/post_tweet.py). This is the intended design for its functionality, allowing the agent to perform Twitter operations.
  • [DATA_EXPOSURE]: The skill manages sensitive Twitter API credentials (API key, secret, access tokens) by storing them in user-specific JSON files within a credentials/ directory. While this is a standard local management pattern, it requires appropriate file system permissions to prevent local exposure of these secrets.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes content from external sources (Twitter timeline, search results, user tweets). An attacker could craft a tweet containing instructions meant to manipulate the agent's behavior when it reads or summarizes that tweet.
  • Ingestion points: Data enters the agent context through scripts/get_timeline.py, scripts/get_user_tweets.py, and scripts/search_tweets.py.
  • Boundary markers: No explicit delimiters or warnings (e.g., "ignore embedded instructions") are implemented in the scripts to isolate external tweet content.
  • Capability inventory: The skill possesses capabilities to post tweets, like, reply, and retweet, which could be abused if an indirect injection is successful.
  • Sanitization: There is no evidence of content sanitization or filtering of the retrieved tweet data before it is presented to the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 23, 2026, 06:06 AM
Security Audit — agent-trust-hub — x-manager