Security audit

X Twitter Automation

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent X/Twitter automation connector, but it deserves Review because it gives agents broad power to read DMs and make public or destructive account changes without clear confirmation guardrails.

Install only if you intentionally want an agent to operate a connected X/Twitter account through AgentPMT. Configure workflows so the agent asks before posting, deleting, sending DMs, reading broad DM history, following/unfollowing, liking/reposting, hiding replies, or uploading media from URLs; keep account scopes as narrow as possible and avoid putting secrets or sensitive DM content into prompts or logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The activation guidance is broad enough to trigger this skill for generic social-media tasks without strong boundaries or confirmation requirements. Because the skill can post, delete posts, send DMs, follow accounts, and modify lists, over-selection can cause unintended high-impact actions on a real connected X account.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill advertises powerful account automation capabilities but does not present prominent user-facing warnings near the top about destructive, externally visible, and privacy-impacting actions. In practice, an agent may treat reads and writes similarly and perform actions like reading DMs, sending DMs, deleting posts, or engaging publicly without the user appreciating the consequences.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The schema documents destructive actions like delete_list and delete_post but provides no warning that these operations are irreversible or may cause data loss. In an agent-automation context, this increases the chance that an agent or workflow performs unintended destructive actions without adequate human confirmation or guardrails.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The schema exposes DM-reading capability through lookup_dms without any privacy or sensitivity warning. Because DMs often contain private or confidential content, documenting this capability without caution can lead agents to access sensitive communications too broadly or without informed user consent.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The send_dm capability enables transmission of private content but the schema lacks warnings about confidentiality, accidental disclosure, or misuse. In an agentic setting, an automated workflow could send sensitive or inappropriate messages to the wrong recipient if the capability is treated as routine and low-risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The upload_media schema allows fetching from a public source_url and uploading content onward, but it does not warn about data-transfer, provenance, or privacy implications. This can cause agents to move data across trust boundaries, fetch untrusted remote content, or upload material without users understanding that external network access and third-party transfer are involved.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal