X Twitter Automataion (Search + Post)

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Twitter/X search and posting purpose, but it exposes the configured AIsa API key in normal command output and has posting-mode ambiguity users should review.

Install only if you trust AIsa with Twitter/X queries, uploaded media, OAuth posting, and the configured API key. Until the key-printing behavior is fixed, do not share or log command output from status, authorize, or post commands, leave TWITTER_RELAY_BASE_URL unset unless you intentionally trust another relay, and review every post before publishing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The skill’s agent instructions say to default publishing to `--type quote`, but earlier sections explicitly state that normal standalone posts should not send relationship fields and that quote mode requires a target tweet URL. This contradiction can cause the agent to construct malformed or unintended quote posts, potentially attaching user content to an unintended quoting workflow and producing incorrect public actions on the user’s social account.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code includes `config["aisa_api_key"]` in the JSON returned by publish-related flows, causing the bearer credential to be exposed to any caller, logs, terminal history, or downstream tooling that captures command output. This is unrelated to the stated Twitter posting purpose and materially increases the risk of credential theft and unauthorized use of the relay service.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Both the authorize and status paths print the full AISA API key in cleartext JSON, disclosing a sensitive secret during normal operation. Because these commands are likely to be run interactively or through orchestration systems, the secret can leak into logs, chat transcripts, CI output, or other telemetry without any need for exploitation beyond invoking the command.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The description says to use the skill for broad 'Twitter/X data, social listening, or posting' requests, which can cause over-triggering on common social-media tasks without a narrow scope check. In context, this matters because invocation sends queries and account-related targets to an external service, so accidental routing increases privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill description does not clearly warn that user queries, searched terms, usernames, tweet IDs, community IDs, and similar targets are sent to a third-party service, api.aisa.one. This omission undermines informed consent and can expose sensitive research targets or account-related interests to an external provider.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The attachment flow states that local workspace files are sent to a relay backend and then uploaded to Twitter/X, but the skill description does not clearly warn users about this external transfer. That creates a privacy and data-handling risk because users may attach local media assuming it stays local or is sent only to Twitter, when in fact it passes through an intermediate service.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Echoing the API key back in publish output is a direct sensitive-data exposure issue. Even if the key is already configured locally, printing it to stdout broadens exposure to shell history capture, log aggregators, and other consumers of command output.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The authorization flow returns the full API key as part of the command output, which is unnecessary for OAuth initiation and leaks a reusable secret during a common workflow. This creates avoidable exposure in consoles, logs, and automation transcripts.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The status command discloses the configured API key in cleartext even though status reporting only requires non-sensitive configuration details. This turns a harmless introspection command into a credential disclosure primitive.

Ssd 3

High

Confidence: 99% confidence
Finding: This output path exposes a sensitive bearer credential in plain language, enabling anyone who can read the command output to reuse the key against the relay API. In an agent skill context, where outputs may be surfaced to users or stored by platform infrastructure, this is especially dangerous because it expands the trust boundary far beyond local code execution.

Ssd 3

High

Confidence: 99% confidence
Finding: The authorization command includes the full API key in printed response data, creating a straightforward secret exfiltration channel. Since the command is intended for routine use, the leak is likely to happen under normal operation rather than only in exceptional conditions.

Ssd 3

High

Confidence: 99% confidence
Finding: The status command reveals the configured API key in cleartext, which is a direct credential disclosure vulnerability. Because status endpoints/commands are often invoked for diagnostics and can be broadly accessible to operators, this unnecessarily exposes a secret to a wider audience than intended.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal