Security audit

Twitter Post AIsa

Security checks across malware telemetry and agentic risk

Overview

The skill’s Twitter/X relay purpose is mostly disclosed, but reported credential exposure in its posting and authorization scripts needs review before use.

Install only if you trust AIsa with your Twitter/X queries, account actions, and uploaded media. Before using posting or authorization commands, inspect or patch the scripts so AISA_API_KEY is never printed or returned in JSON output; use a scoped/revocable key and avoid running it where terminal output is logged or shared.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill declares access to an API key and explicitly instructs use of remote AIsa API endpoints, but it does not declare corresponding permissions despite having environment and network capabilities. This creates a transparency and governance gap: users or hosting platforms may underestimate the skill's ability to read secrets and transmit data externally, increasing the risk of unintended credential use or data exfiltration.

Context-Inappropriate Capability

Low

Confidence: 83% confidence
Finding: The status command discloses operational details such as the relay base URL, timeout, supported commands, supported endpoints, and whether an AIsa API key is present. While it does not reveal the secret itself, this information can aid reconnaissance by exposing internal service topology and confirming credential availability to an attacker with access to the skill.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The client forwards user-provided usernames, tweet IDs, queries, and relationship lookups to api.aisa.one, a third-party service, without any explicit runtime disclosure or consent mechanism. In an agent-skill context, this can leak sensitive investigative targets, campaign terms, or user intent to an external provider even when the operator may assume direct Twitter/X access.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The client includes the raw AISA API key in user-visible JSON output during posting flows, which can leak credentials into terminal scrollback, logs, shell history captures, CI artifacts, or chat transcripts. Because this script is specifically designed to perform authenticated social-media actions, exposure of the bearer credential could let anyone with access to that output reuse the key to authorize or post through the AIsa API.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The authorize command prints the raw API key while also performing a network authorization flow, increasing the chance that a sensitive bearer token is exposed during an operation likely to be recorded in logs or shared with a user. In the context of an OAuth/posting client, that key likely grants access to privileged API operations, so disclosure can enable unauthorized posting or account actions through the relay.

External Transmission

Medium

Category: Data Exfiltration
Content: - `AISA_API_KEY` is required for AIsa-backed API access. - Use repo-relative `scripts/` paths from the shipped package. - Twitter/X reads, OAuth requests, and user-approved media uploads use the fixed AIsa API endpoint `https://api.aisa.one/apis/v1/twitter`. - Provide only `AISA_API_KEY`; do not use passwords, cookies, or browser credential export. ## Example Requests
Confidence: 84% confidence
Finding: https://api.aisa.one/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.