X/Twitter All-in-One: 30+ APIs, OAuth Post, One Key

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Twitter/X search and posting purpose, but it exposes the AIsa API key in normal command output while enabling OAuth-backed posting.

Install only if you trust AIsa with Twitter/X queries, uploaded media, and OAuth posting authority. Avoid running authorize, post, or status commands in shared terminals, logs, or agent transcripts until the skill redacts AISA_API_KEY, and only attach files you intend to upload publicly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The instructions to default to `--type quote` contradict the documented flow that says normal standalone posts should not send quote/reply relationship fields. This can cause unintended quote-post behavior, accidental inclusion of relationship metadata, and posting semantics different from what the user requested, which is especially risky in an autonomous posting tool.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The status command prints the full AISA API key to stdout, unnecessarily disclosing a bearer credential to anyone with terminal, log, shell-history, or orchestration-log access. Because this skill is designed for Twitter/X search and posting, exposing the underlying relay credential is not required for normal operation and expands the blast radius beyond the user’s immediate action.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Publish results include the raw AISA API key in normal output, so every successful or failed post leaks a reusable bearer token. In agent environments, command output is often captured in transcripts, debug logs, telemetry, or shown back to users, making credential theft and relay abuse significantly more likely.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The authorization flow prints the raw AISA API key alongside the OAuth authorization URL, exposing a sensitive backend credential during a high-visibility interactive flow. This is especially dangerous because OAuth setup steps are commonly copied, logged, surfaced in UI, or shared for troubleshooting, creating an easy path to secret exfiltration.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The description is broad enough that an agent may invoke this skill for generic social-media or listening tasks without clearly limiting scope to Twitter/X and the AIsa backend. Over-broad routing can cause unintended third-party data transmission or use of the wrong skill for user requests involving sensitive account or monitoring data.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill description does not clearly warn that user queries, account identifiers, and related Twitter/X data are sent to the third-party service api.aisa.one. This creates a transparency and consent problem, particularly when users may assume the agent is querying Twitter directly rather than relaying data through an external vendor.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The attachment flow states that local files and post content are sent to a relay backend and then to Twitter/X, but the skill does not present this as a clear user-facing warning or consent point. Users may believe media stays local or is sent only to Twitter, creating a privacy and data-handling transparency issue for potentially sensitive attachments.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This finding is substantively the same underlying issue as the post-result secret leak: a sensitive API key is printed without redaction or warning. Lack of warning makes accidental disclosure more likely, but the main risk is the credential exposure itself, which can enable unauthorized use of the relay service.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The authorization command prints a secret bearer key directly in JSON output with no masking or cautionary controls. In practice, such output is commonly retained in console buffers and logs, so the issue creates a durable credential leak rather than a transient display problem.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The status command discloses the configured API key without warning, encouraging routine exposure during diagnostics and support workflows. Since status is often run precisely for debugging, the secret is likely to be copied into tickets, logs, or chat, increasing exposure over time.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal