Back to skill

Security audit

Twitter

Security checks across malware telemetry and agentic risk

Overview

This Twitter/X skill appears purpose-built for AIsa social automation, but it exposes the API key in normal command output and can perform public account actions.

Review carefully before installing. Use a limited/rotatable AIsa API key, avoid running status/debug commands in shared logs, do not post confidential media or text, and require explicit user confirmation before publishing, liking, following, or unfollowing from a connected Twitter/X account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (34)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares required environment variables and clearly relies on outbound network access, but it does not declare corresponding permissions. That creates a transparency and policy-enforcement gap: a host may not realize the skill can transmit API keys and user-supplied Twitter queries to an external service, increasing the chance of unsafe execution in environments that depend on explicit permission manifests.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The skill's agent instructions say to default to `--type quote` for publishing, which conflicts with earlier guidance that normal standalone posts should not send quote/reply relationship fields. This can cause unintended quote-post behavior, incorrect linkage to other tweets, or malformed posting logic, leading to user actions that differ from their intent on a public account.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The status command returns the configured `aisa_api_key` in plain JSON, directly exposing a credential to any caller who can invoke the script. In an agent-skill context, this is especially dangerous because status/debug commands are often callable by users or logged by orchestration layers, causing credential leakage beyond the intended Twitter functionality.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The CLI prints the AISA API key in `status`, `authorize`, and posting outputs, which exposes a bearer credential to terminal history, logs, screenshots, calling agents, and any upstream tool that captures stdout. Because the key is also accepted by the relay as an authorization header and included in request bodies, disclosure can enable unauthorized use of the relay and any actions that key permits.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README’s invocation guidance is broad enough to trigger this skill for a wide range of generic social-media requests, including cases where the user may only want information rather than account interaction. In a skill that can post, like, and follow after OAuth, over-broad routing increases the chance of unintended activation and unnecessary exposure to account-affecting capabilities.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises account-affecting actions such as publishing posts, liking/unliking tweets, and following/unfollowing users without an explicit warning that these operations change the user’s account state. In context, this skill is more dangerous because it combines broad invocation guidance with write-capable social actions, which can lead to accidental or insufficiently confirmed actions on a real user account.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The description advertises account-modifying actions such as posting, liking, and following after OAuth, but it does not prominently warn that these operations change the user's Twitter/X account state and may have public, irreversible, or reputation-impacting consequences. In an agent setting, understated side effects can lead to unintended social actions being performed on behalf of the user.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill enables account-altering actions through a relay service but does not clearly warn that likes, unlikes, follows, and unfollows will be executed on the user's authenticated X/Twitter account. In an agent setting, missing explicit user-facing disclosure increases the risk of users authorizing unintended social actions without understanding they are state-changing operations performed on their behalf.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The attachment flow explains that local media is uploaded through the AIsa relay and then to Twitter/X, but the skill does not clearly warn users that their text and media leave the local environment and are transmitted to third-party services. This creates a privacy and consent risk, especially if users assume attachments remain local or do not realize a relay service processes their content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes an automated flow that tries to publish first and only handles authorization failures afterward, but it does not clearly warn that publishing is an external, potentially irreversible action on the user's Twitter/X account. Without a prominent warning or confirmation expectation, users may trigger public posts they did not fully intend, causing reputation, compliance, or operational harm.

Missing User Warnings

High
Confidence
99% confidence
Finding
Line 489 explicitly includes the API key in the response object for the status command, which is a direct secret-disclosure vulnerability. An exposed relay/API key can let an attacker call protected backend services, impersonate the skill, or pivot into other systems that trust this credential.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
This is a concrete secret-disclosure issue: the tool emits the AISA API key in user-visible CLI output without warning or masking. In agent or CI environments, stdout is commonly persisted, making credential leakage likely and potentially long-lived.

Ssd 3

High
Confidence
99% confidence
Finding
The status output serializes the configured API key into plain JSON and prints it, making disclosure trivial through normal command use, logs, transcripts, or monitoring systems. The skill context makes this more dangerous because the command is unrelated to credential administration, so ordinary operational use could unintentionally leak a live secret.

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $AISA_API_KEY"

# Get user profile about (account country, verification, username changes)
curl "https://api.aisa.one/apis/v1/twitter/user_about?userName=elonmusk" \
  -H "Authorization: Bearer $AISA_API_KEY"

# Batch get user info by IDs
Confidence
88% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $AISA_API_KEY"

# Batch get user info by IDs
curl "https://api.aisa.one/apis/v1/twitter/user/batch_info_by_ids?userIds=44196397,123456" \
  -H "Authorization: Bearer $AISA_API_KEY"

# Get user's latest tweets
Confidence
88% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $AISA_API_KEY"

# Get user's latest tweets
curl "https://api.aisa.one/apis/v1/twitter/user/last_tweets?userName=elonmusk" \
  -H "Authorization: Bearer $AISA_API_KEY"

# Get user mentions
Confidence
88% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $AISA_API_KEY"

# Get user mentions
curl "https://api.aisa.one/apis/v1/twitter/user/mentions?userName=elonmusk" \
  -H "Authorization: Bearer $AISA_API_KEY"

# Get user followers
Confidence
88% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $AISA_API_KEY"

# Get user followers
curl "https://api.aisa.one/apis/v1/twitter/user/followers?userName=elonmusk" \
  -H "Authorization: Bearer $AISA_API_KEY"

# Get user followings
Confidence
88% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $AISA_API_KEY"

# Get user followings
curl "https://api.aisa.one/apis/v1/twitter/user/followings?userName=elonmusk" \
  -H "Authorization: Bearer $AISA_API_KEY"

# Get user verified followers (requires user_id, not userName)
Confidence
88% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $AISA_API_KEY"

# Get user verified followers (requires user_id, not userName)
curl "https://api.aisa.one/apis/v1/twitter/user/verifiedFollowers?user_id=44196397" \
  -H "Authorization: Bearer $AISA_API_KEY"

# Check follow relationship between two users
Confidence
88% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $AISA_API_KEY"

# Check follow relationship between two users
curl "https://api.aisa.one/apis/v1/twitter/user/check_follow_relationship?source_user_name=elonmusk&target_user_name=BillGates" \
  -H "Authorization: Bearer $AISA_API_KEY"

# Search users by keyword
Confidence
89% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $AISA_API_KEY"

# Search top tweets
curl "https://api.aisa.one/apis/v1/twitter/tweet/advanced_search?query=AI+agents&queryType=Top" \
  -H "Authorization: Bearer $AISA_API_KEY"

# Get tweets by IDs (comma-separated)
Confidence
88% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $AISA_API_KEY"

# Get tweets by IDs (comma-separated)
curl "https://api.aisa.one/apis/v1/twitter/tweets?tweet_ids=1895096451033985024" \
  -H "Authorization: Bearer $AISA_API_KEY"

# Get tweet replies
Confidence
88% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $AISA_API_KEY"

# Get tweet replies
curl "https://api.aisa.one/apis/v1/twitter/tweet/replies?tweetId=1895096451033985024" \
  -H "Authorization: Bearer $AISA_API_KEY"

# Get tweet quotes
Confidence
88% confidence
Finding
https://api.aisa.one/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $AISA_API_KEY"

# Get tweet quotes
curl "https://api.aisa.one/apis/v1/twitter/tweet/quotes?tweetId=1895096451033985024" \
  -H "Authorization: Bearer $AISA_API_KEY"

# Get tweet retweeters
Confidence
88% confidence
Finding
https://api.aisa.one/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.