Back to skill

Security audit

Twitter Autopilot

Security checks across malware telemetry and agentic risk

Overview

This Twitter/X automation skill mostly does what it claims, but it exposes the configured API key in normal output and has ambiguous public-posting behavior.

Review before installing. Use a dedicated AISA_API_KEY you can rotate, avoid sharing logs or transcripts from status/authorize/post commands, confirm every post/like/follow action before execution, and treat any --media-file path as an upload to AIsa's relay and Twitter/X.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares required binaries and environment variables but does not clearly declare permissions for network access and secret/env usage, even though it relies on outbound HTTPS requests with an API key. This weakens sandboxing and user consent because operators may not realize the skill can transmit credentials and queried data to a third-party service.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The documented purpose understates behavior noted by analysis: configuration/status output may disclose sensitive setup details, and posting features include media upload, multipart handling, replies/quotes, and auto-threading beyond the stated description. Description drift is dangerous because users and harnesses may authorize a broader action surface than they intended, especially for social-account actions and possible secret exposure.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The instruction to default all publishing to `--type quote` directly contradicts earlier rules that standalone posts must not include relationship fields and that quote mode should only be used when explicitly requested. In a posting skill, this can cause unintended quote-tweets, malformed posts, or accidental disclosure/linking to third-party content, making the agent behave against user intent.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The status command returns the configured `aisa_api_key` in plain JSON output, which exposes a secret to any caller able to invoke the script. In this skill context, that key is unnecessary for normal user-visible diagnostics and could be reused to access downstream relay or API functionality, enabling unauthorized actions or further compromise.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises capabilities to post, like/unlike, and follow/unfollow on a user's X account but does not warn that these are user-visible, potentially irreversible, or reputation-affecting actions. In an agent setting, this omission increases the risk that users or downstream integrators invoke the skill without appropriate confirmation controls for actions that can publicly modify an account.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill does not prominently warn that user queries and the bearer API credential are sent to AIsa's external service. Even if expected for API-backed functionality, failing to disclose third-party data transfer and credential use undermines informed consent and increases privacy and supply-chain risk.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The example phrase 'Help me post this to Twitter' is broad and close to ordinary conversational language, increasing the chance that the skill is invoked in contexts where the user did not intend to authorize external posting. For a capability that can publish content to a social account, overly broad triggers raise the risk of unintended action execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The attachment flow states that local workspace files are sent to an external relay backend and then to Twitter/X, but it is described operationally rather than as an explicit user-facing warning. In a skill that handles local files, failing to clearly warn users about third-party upload destinations can lead to inadvertent disclosure of sensitive images or videos.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The client automatically sends an environment-sourced secret to a third-party service with no explicit runtime disclosure beyond source code inspection. In an agent-skill context, this is more sensitive because users may invoke the tool without realizing their locally scoped credential is being transmitted off-host to an external relay service.

Missing User Warnings

High
Confidence
99% confidence
Finding
The `command_status` handler includes `"aisa_api_key": config["aisa_api_key"]` in the response object and prints it directly, causing explicit secret disclosure. Because this skill performs authenticated Twitter engagement actions through a relay, leaking the key is especially dangerous: a user or adversarial prompt could retrieve the credential and use it outside the intended flow.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script includes the AISA API key in normal command output, which can leak secrets into terminal scrollback, shell history captures, CI logs, agent transcripts, or other monitoring systems. In an agent skill context, stdout is often captured and persisted, making accidental disclosure substantially more likely and enabling unauthorized use of the relay service.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The authorization command prints the API key alongside the authorization URL and raw response, exposing a bearer secret during a security-sensitive OAuth flow. This increases the chance that logs or users focused on completing auth unintentionally disclose the credential, which could then be reused to access the relay API.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The status command reveals the configured API key, turning a diagnostic operation into a secret-disclosure vector. Because status-style commands are commonly run for troubleshooting and their output is often shared, this creates a practical path for credential leakage and subsequent abuse of the Twitter relay service.

Ssd 3

High
Confidence
99% confidence
Finding
This is a straightforward plaintext credential exposure: invoking `status` reveals the full configured API key to the caller. In an agent skill, where outputs may be surfaced to end users or other tools, this materially increases risk because the secret can be harvested through ordinary interaction and then abused to invoke protected relay endpoints.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/twitter_engagement_client.py:304