Back to skill

Security audit

X Dm Auto Chat

Security checks across malware telemetry and agentic risk

Overview

This skill appears to automate X/Twitter private-message access and outreach in ways that users should review carefully before installing.

Install only if you are comfortable letting the skill use your logged-in X session to read private-message data and potentially send DMs. Review the workflow for explicit approval gates, avoid unsolicited or bulk outreach, and delete or protect any saved recipient/message logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill clearly relies on network-capable operations against X, including browser navigation and API/GraphQL data retrieval, yet no explicit permissions are declared. Missing permission disclosure weakens user understanding and policy enforcement around what external access the skill will perform.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill description materially overstates and misstates behavior: it presents a safe-seeming end-to-end DM automation feature set while the documented mechanics include authenticated scraping/API access and anti-abuse-aware outreach steps that are not transparently disclosed. Behavior-description mismatch is dangerous because users and calling agents cannot accurately assess what actions or data access will occur.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The invocation phrases are broad enough to trigger on generic requests for outreach, DM bots, or handling unread private messages, increasing the chance of accidental activation in sensitive contexts. Because the skill can read and send private DMs, broad matching materially raises the risk of unauthorized or poorly scoped use.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill is designed to send automated DMs and conduct batch outreach, but it lacks an explicit user-facing warning that it may send messages on the user's behalf to real recipients. In a private-messaging context, absent warning and consent checkpoints can lead to unintended communications, spam, reputational harm, and account enforcement.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script explicitly harvests the logged-in browser's CSRF token from cookies and then performs an authenticated request against the user's X DM inbox. Even though the description says message bodies are E2E encrypted, the code still accesses sensitive inbox metadata, and there is no built-in user-consent, warning, or trust boundary in the script itself. In the context of an automated DM skill, this is more dangerous because it enables silent collection of private conversation metadata from the user's authenticated session.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script emits JavaScript that extracts the full contents of an active X DM conversation, including message text, links, images, conversation identifiers, peer display name, and the local user's identifier from cookies. In the context of an automation skill designed to scan and auto-reply to DMs, this is a real privacy and data-exposure risk because highly sensitive private-message content is collected and returned without any in-file minimization, disclosure, or explicit consent gating.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script constructs JavaScript that reads the logged-in browser session's ct0 CSRF cookie and performs an authenticated request to X's GraphQL API using the user's ambient credentials. Even though the destination is first-party (api.x.com), this is still a security-relevant action because it silently leverages session-derived authentication without explicit user disclosure or consent at execution time, enabling account-scoped data access through the skill.

Ssd 4

Medium
Confidence
98% confidence
Finding
The workflow explicitly supports unsolicited outreach at scale and includes timing/randomization guidance aimed at reducing platform abuse detection. Instructions that optimize message campaigns to evade anti-spam controls materially increase the risk of abuse, account compromise consequences, and platform-policy violations.

Ssd 3

Medium
Confidence
91% confidence
Finding
The skill instructs persistence of per-target status and messaging history in external files, creating durable records of private communication activity. This increases privacy and compliance risk because sensitive recipient identifiers, timestamps, and interaction outcomes may be stored without minimization, retention limits, or protection guidance.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.