Auto Tweet Publish

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for X/Twitter automation, but it gives a local server broad control over a live account with weak safeguards and incomplete upfront disclosure.

Install only if you are comfortable giving this local Python server substantial control over a live X/Twitter account. Use a dedicated account if possible, protect config.json and cookies.json, keep the server bound to 127.0.0.1, stop it when finished, and require explicit human confirmation before posts, DMs, deletes, follows, retweets, or scheduled tweets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (13)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill declares no permissions while its documented behavior clearly requires local file access and network communication. This under-declaration prevents informed consent and weakens any policy or sandbox layer that relies on manifest permissions to constrain sensitive capabilities.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The manifest and top-level description understate the full set of account-impacting actions, while the documentation exposes additional capabilities such as DMs, follow/unfollow, deletion, scheduling, notifications access, and credential/cookie handling. This mismatch can cause the skill to be invoked in situations where users or orchestrators did not consent to higher-risk actions affecting account integrity, privacy, and reputation.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The manifest/overview omit direct messaging and follow-management functions even though the skill supports them. Those capabilities materially change the risk profile because they enable private communication and social-graph manipulation, which may be triggered without clear user awareness.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The security note claims 'No telemetry, no external callbacks' even though the skill's core function necessarily sends outbound requests to Twitter/X through the local wrapper. Misleading security claims can cause users to underestimate data transmission and trust boundaries, especially when credentials, cookies, tweet content, DMs, and timeline data are involved.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The file advertises the API as localhost-only, but the bind host is loaded from config and passed directly to uvicorn.run, so an operator can expose the service on 0.0.0.0 or another reachable interface. Because the API performs authenticated actions on the user's X account and has no authentication or authorization layer of its own, network exposure would let other reachable clients post, delete, DM, follow, and inspect account data.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The activation phrasing is broad enough to cover almost any X/Twitter account-management request, increasing the chance of overbroad invocation for sensitive actions. In a skill that can post, delete, DM, follow, and retweet, unclear trigger boundaries raise the risk of unintended high-impact operations.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: Describing the skill as allowing broad natural-language control without clear boundaries encourages unrestricted interpretation by an agent. Because the skill controls a live social-media account, this increases the chance of unintended posting, engagement, private messaging, or account changes based on ambiguous prompts.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation lists powerful actions including delete tweet, send DM, follow/unfollow, retweet, bookmark, and scheduling, but provides no warnings or confirmation requirements for destructive, privacy-sensitive, or reputationally risky operations. In this context, omission of safeguards is dangerous because a user or agent could execute impactful account actions without understanding consequences or needing a second check.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The _dedup_cookies method copies cookies from .twitter.com to .x.com and then removes the originals, effectively widening credential reuse across domains without validating cookie scope, attributes, or whether such migration is safe. Because this skill manages an authenticated X account and uses those cookies for account actions, unsafe domain rewriting can cause credential mishandling, session confusion, or leakage of sensitive auth state to requests that were not originally authorized for that domain.

Unpinned Dependencies

Low

Category: Supply Chain
Content: twikit>=2.3.1 fastapi>=0.109.0 uvicorn>=0.27.0 pydantic>=2.0.0
Confidence: 97% confidence
Finding: twikit>=2.3.1

Unpinned Dependencies

Low

Category: Supply Chain
Content: twikit>=2.3.1 fastapi>=0.109.0 uvicorn>=0.27.0 pydantic>=2.0.0
Confidence: 98% confidence
Finding: fastapi>=0.109.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: twikit>=2.3.1 fastapi>=0.109.0 uvicorn>=0.27.0 pydantic>=2.0.0
Confidence: 98% confidence
Finding: uvicorn>=0.27.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: twikit>=2.3.1 fastapi>=0.109.0 uvicorn>=0.27.0 pydantic>=2.0.0
Confidence: 98% confidence
Finding: pydantic>=2.0.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal