Back to skill

Security audit

X Engagement Pro

Security checks across malware telemetry and agentic risk

Overview

This skill is an X/Twitter engagement automator that discloses account write access, but it can perform scheduled replies and likes without a clear per-action approval workflow.

Install only if you intend to let this skill use an X account for engagement. Keep it in manual mode unless you deliberately want automated likes or replies, use a dedicated least-privileged X API credential, verify the xapi command source, and monitor scheduled runs closely because public account actions may happen without per-post approval once automation modes are enabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The agent imports and uses a subprocess execution primitive and forwards an API key from the environment to those subprocesses, but there is no manifest or other visible authorization boundary explaining why this capability is required. In a skill context, shelling out with secrets increases the attack surface because command construction, downstream tool behavior, and secret handling are harder to audit and can enable unintended external actions or credential exposure.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
This code autonomously searches X, fetches mentions, generates responses, and performs replies and likes based on triggers such as heartbeat and cron, with no evident user approval or manifest-stated business purpose. That makes the skill capable of unattended social-media activity, which can be abused for spam, impersonation, manipulation, or reputational harm if configured maliciously or if inputs are adversarial.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises auto-posting to X and use of API credentials, but the description provides no warning that the tool may perform account-impacting actions on the user's behalf. In an agent ecosystem, that omission can mislead users into granting credentials or installing the skill without understanding that it may publish content, affect reputation, trigger rate limits, or violate platform policies.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The agent sends replies and likes via subprocesses without any in-code disclosure, confirmation, or user-facing warning that external actions will be taken. In an agent ecosystem, hidden outbound actions are risky because users may not realize the skill can publish content or interact with third-party services on their behalf, enabling covert or unexpected behavior.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The code reads an X API credential from the environment and passes it to a subprocess without any disclosure or visible controls around secret use. While this is a common implementation pattern, in a skill setting it still matters because operators may not understand that credentials are being consumed by external commands, and subprocess boundaries can complicate secret auditing and leakage prevention.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.