Back to skill

Security audit

Baoyu Danger X To Markdown

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it uses and stores sensitive X session cookies in ways users should review carefully before installing.

Install only if you are comfortable giving the skill access to your X session. Prefer dedicated environment variables over Chrome-cookie capture, review or delete the local cookies.json cache after use, avoid running it in sensitive shared workspaces, and use media downloading only when you expect remote files to be saved locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This code aggregates X authentication cookies from three sensitive sources: environment variables, a local cookie file, and a live Chrome session via CDP. Even if intended to support authenticated access, this is still credential-access behavior that exceeds a simple content-conversion function and creates a strong risk of unauthorized session use, token leakage in logs, or reuse beyond the user's clear understanding.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The code launches or attaches to Chrome, opens an X login page, and polls Network.getCookies until required login cookies appear. That behavior is credential harvesting from an active browser context; in the context of a tweet/article-to-markdown skill, it is more dangerous because the advertised functionality does not inherently require taking over or inspecting a live authenticated browser session.

Context-Inappropriate Capability

Medium
Confidence
74% confidence
Finding
The exported tweet-detail path requests broader conversation, promoted, community, Birdwatch, and timeline-related metadata than is obviously necessary for converting a single tweet to markdown. In a skill whose purpose is format conversion, over-collection expands the authenticated data surface and can retrieve more user-associated or contextual content than the user likely expects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup flow instructs the agent to create directories and write an EXTEND.md file to either a user-level or project-level path, but it does not require explicit user notice or confirmation immediately before modifying the filesystem. In an agent setting, silent writes to disk can surprise users, create unwanted persistent state, and potentially write into sensitive locations if a custom path is later accepted without strong validation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This code persists X/Twitter authentication cookies to disk in plaintext JSON without any visible protection, permission hardening, encryption, or user-facing disclosure at the point of storage. Because cookies are bearer credentials, any local process, malware, shared account user, backup system, or accidental file exposure could reuse them to access the victim's X session.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The environment-based loading path silently reads X_AUTH_TOKEN, X_CT0, and related secrets without any user-facing warning, confirmation, or scope limitation. In agent environments, env vars may be inherited implicitly, so this can cause sensitive session tokens to be consumed or exposed without the operator realizing the skill accesses them.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The code persists recovered cookies to disk without an explicit disclosure, retention policy, or visible user acknowledgement. Persisting active session cookies increases the attack surface because filesystem compromise, backups, or other local tooling could recover reusable authentication material.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The function fetches arbitrary remote URLs found in markdown and writes the response bodies directly to local files without any explicit consent, host allowlist, size validation, or content safety checks. In this skill's context, that creates a real risk of silent network access and persistence of untrusted content, including large files or deceptive media, especially if markdown can contain attacker-controlled URLs.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This code fetches additional referenced tweets by calling a reverse-engineered X API with the provided authentication cookies, expanding the scope of authenticated network access beyond the primary user-requested resource. Even if the feature is functional, the file itself performs these authenticated requests without any enforcement of explicit per-request consent, origin restrictions, or minimization controls, which can lead to unintended authenticated data access and privacy exposure if article content causes many referenced IDs to be resolved.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function unconditionally passes the provided cookieMap to fetchXArticle, which causes authentication material to be sent over a network request from this code path without any local consent check, warning, or scope restriction. In a skill that uses a reverse-engineered X API, this is especially sensitive because cookies may grant account-level access and could expose user session data to unintended requests if the target, logging, or upstream handling is unsafe.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/paths.ts:39

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/graphql.ts:256