Back to skill

Security audit

X/Twitter Automation: 30+ APIs, OAuth Post, One Key

Security checks across malware telemetry and agentic risk

Overview

This Twitter/X skill largely does what it advertises, but it exposes the AISA API key in normal command output and should be reviewed before use.

Install only after reviewing the API-key exposure. Use a scoped AISA key, avoid running status/authorize/post where outputs are logged or shared, authorize only the intended Twitter/X account, and treat posted text or media as data sent to AIsa and potentially published publicly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (38)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill requires environment access to `AISA_API_KEY` and makes outbound network requests, but it does not declare corresponding permissions. This creates a transparency and governance gap: an agent or user may invoke the skill without understanding that secrets will be read and sent to a third-party API.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill’s agent instructions say to default to `--type quote` for publishing, which conflicts with earlier guidance that quote mode should only be used when the user explicitly wants to quote another tweet and provides the original tweet URL. This can cause unintended quote-post behavior, alter publication semantics, and potentially attach relationship fields to ordinary posts in ways the user did not authorize.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file markets itself as a read-only Twitter client, but the shared request helper supports POST and automatically includes the API key in POST bodies. That mismatch can mislead downstream agents or reviewers into granting broader trust than warranted, increasing the chance that future code paths add write actions or secret-bearing requests under a read-only label.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The CLI description presents the tool as read-only even though the underlying helper can perform POST requests. In an agent-skill context, misleading safety claims are dangerous because operators may approve the tool for low-risk data retrieval while hidden write-capable plumbing and credential forwarding remain available for later expansion or misuse.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The status command prints the full configured AISA API key in cleartext, unnecessarily exposing a sensitive credential in normal user-visible output. In an agent/skill environment, stdout is often logged, surfaced to users, or captured by orchestration layers, so this can directly leak a reusable bearer credential beyond its intended scope.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The authorization flow output includes the raw API key alongside the authorization URL, even though the key is not needed by the end user to complete OAuth. This creates an avoidable credential disclosure path through terminal output, logs, transcripts, or agent tool responses.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly markets the ability to write and post to Twitter/X, including text and media, but it does not warn that these actions create public, potentially irreversible changes on a user's account. In an agent context, this increases the risk of accidental or unintended public posting because operators may treat the skill like a read-only social listening tool unless the destructive/public nature is clearly disclosed.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill description promotes Twitter/X search and account-related operations via a third-party API but omits a clear privacy/data-sharing warning. Users may provide sensitive search terms, usernames, monitoring targets, or account-linked actions without informed consent that this data is transmitted to `aisa.one`.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger examples use broad, natural phrases such as 'Help me post this to Twitter,' which can make the skill activate on ordinary conversational text without a strong confirmation boundary. In a posting skill, unintended invocation is especially risky because it can lead to accidental publication of user-provided text or media to an external public platform.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes attachment handling and backend upload flow but does not clearly warn users that their text and local media files will be transmitted to external services and may be published publicly on X/Twitter. This creates a meaningful consent and privacy risk, especially for attachments that may contain sensitive or unintended content.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
For POST requests, the client duplicates the bearer credential into the JSON body as `aisa_api_key`, unnecessarily expanding where the secret is exposed. This increases leakage risk through server-side request logging, intermediaries, debugging output, application telemetry, and error capture systems that commonly record bodies more readily than authorization headers.

Missing User Warnings

High
Confidence
99% confidence
Finding
The post/publish path returns JSON containing the full AISA API key, causing secret exposure during ordinary operation rather than exceptional debugging. Because this skill is specifically intended for end-user interaction around Twitter posting, exposing backend credentials in command results is unrelated to purpose and substantially increases leak risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
Printing the AISA API key in cleartext during the OAuth authorization flow discloses a secret at a point likely to be displayed to users or stored in logs. A bearer API key may allow unauthorized use of the relay service, impersonation of the skill's backend access, or abuse of associated quotas and capabilities.

Missing User Warnings

High
Confidence
99% confidence
Finding
The status command reveals the configured API key in cleartext without any masking or warning, turning a diagnostic command into a credential disclosure mechanism. In agent ecosystems, status commands are especially likely to be invoked interactively or automatically, making accidental secret exposure more probable.

Ssd 3

High
Confidence
99% confidence
Finding
Echoing the API key in normal post output and status-style responses leaks a sensitive credential in plain language. This is dangerous because command output commonly propagates into chat transcripts, telemetry, CI logs, shell history, or third-party observability systems, enabling credential reuse by unintended parties.

Ssd 3

High
Confidence
99% confidence
Finding
The authorization flow exposes the configured API key next to the authorization URL, combining a user action link with a reusable backend credential in a single response. An attacker who sees this output could use the bearer token to access the relay API independently of the intended OAuth flow.

Ssd 3

High
Confidence
99% confidence
Finding
The diagnostic status response includes the full API key, which is a direct sensitive-data disclosure. Given the skill's purpose is Twitter search/post operations, revealing an internal relay credential is unnecessary and increases the blast radius if command output is observed or stored.

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $AISA_API_KEY"

# Get user profile about (account country, verification, username changes)
curl "https://api.aisa.one/apis/v1/twitter/user_about?userName=elonmusk" \
  -H "Authorization: Bearer $AISA_API_KEY"

# Batch get user info by IDs
Confidence
86% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $AISA_API_KEY"

# Batch get user info by IDs
curl "https://api.aisa.one/apis/v1/twitter/user/batch_info_by_ids?userIds=44196397,123456" \
  -H "Authorization: Bearer $AISA_API_KEY"

# Get user's latest tweets
Confidence
86% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $AISA_API_KEY"

# Get user's latest tweets
curl "https://api.aisa.one/apis/v1/twitter/user/last_tweets?userName=elonmusk" \
  -H "Authorization: Bearer $AISA_API_KEY"

# Get user mentions
Confidence
86% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $AISA_API_KEY"

# Get user mentions
curl "https://api.aisa.one/apis/v1/twitter/user/mentions?userName=elonmusk" \
  -H "Authorization: Bearer $AISA_API_KEY"

# Get user followers
Confidence
86% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $AISA_API_KEY"

# Get user followers
curl "https://api.aisa.one/apis/v1/twitter/user/followers?userName=elonmusk" \
  -H "Authorization: Bearer $AISA_API_KEY"

# Get user followings
Confidence
86% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $AISA_API_KEY"

# Get user followings
curl "https://api.aisa.one/apis/v1/twitter/user/followings?userName=elonmusk" \
  -H "Authorization: Bearer $AISA_API_KEY"

# Get user verified followers (requires user_id, not userName)
Confidence
86% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $AISA_API_KEY"

# Get user verified followers (requires user_id, not userName)
curl "https://api.aisa.one/apis/v1/twitter/user/verifiedFollowers?user_id=44196397" \
  -H "Authorization: Bearer $AISA_API_KEY"

# Check follow relationship between two users
Confidence
85% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $AISA_API_KEY"

# Check follow relationship between two users
curl "https://api.aisa.one/apis/v1/twitter/user/check_follow_relationship?source_user_name=elonmusk&target_user_name=BillGates" \
  -H "Authorization: Bearer $AISA_API_KEY"

# Search users by keyword
Confidence
87% confidence
Finding
https://api.aisa.one/

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.