Back to skill

Security audit

AIsa Twitter Research Engage Relay

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Twitter/X relay purpose, but it needs review because it can print the AIsa API key and can perform live account actions immediately once invoked.

Review carefully before installing. Use only a scoped, rotatable AIsa key, avoid sharing command output or logs until the key-printing behavior is fixed, and confirm the exact account, tweet, post text, and media files before allowing any action. Do not use this if you need a workflow that avoids routing data through AIsa's relay.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The skill is presented as a focused engagement workflow, but the detected behavior reportedly includes broader discovery/analytics operations, destructive actions such as unlike/unfollow, media uploads, and automatic multi-post chaining. That mismatch can mislead users and reviewers about the real scope of actions and data handling, increasing the risk of unintended account actions, privacy exposure, or abuse through under-disclosed capabilities.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script includes the raw AIsa API key in user-visible JSON output for posting/status flows, which unnecessarily discloses a bearer secret that can be reused to invoke the relay API. Any terminal logs, shell history capture, CI logs, screenshots, or downstream tooling that records command output could leak the credential and allow unauthorized Twitter actions through the service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly states that local workspace files and post content are transmitted to a third-party relay backend and then to Twitter/X, but it does not require a clear user-facing disclosure at the moment of action. This creates a real privacy and data-handling risk because agents may upload local files or sensitive text outside the local environment without the user fully understanding that data is leaving the workspace and being sent to external services.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
User-supplied Twitter handles, tweet IDs, queries, and similar data are sent to api.aisa.one without any explicit notice, consent flow, or data-minimization controls. In an agent skill context, this matters because user-entered research targets or sensitive investigative queries may be silently disclosed to a third-party service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script performs state-changing social actions like like, unlike, follow, and unfollow immediately after argument parsing, with no explicit confirmation, dry-run mode, or secondary approval step. In an agent skill context, this increases the risk of unintended account actions from prompt misunderstanding, ambiguous identity resolution, or automation misuse, especially because the skill is specifically designed to execute engagement actions on live accounts.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Echoing the API key back to the user without warning or redaction creates an avoidable secret exposure channel. While this may seem convenient for debugging, the key is a sensitive authentication credential and should not appear in normal CLI output, especially in a skill that performs OAuth-gated posting and engagement actions.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The authorize command prints the raw API key alongside the authorization URL and response data, exposing a reusable credential during a workflow likely to be shared with users or copied into tickets and chat. Because this is an OAuth-related flow, operators may be especially likely to paste the output elsewhere, increasing the chance of credential compromise.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.