Back to skill

Security audit

Tweet Search

Security checks across malware telemetry and agentic risk

Overview

This is a broad but clearly disclosed Xquik/X integration skill that can perform sensitive account actions only through user-provided API access and documented confirmation gates.

Install only if you trust Xquik with the X data and account actions you enable. Use a scoped, revocable API key, prefer environment variables over hardcoded config values, confirm every post/DM/profile/payment/webhook/monitor action, and be careful with bulk exports or webhook destinations because they can expose large amounts of X data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This section exposes numerous high-impact write operations on connected X accounts, but confirmation requirements are only mentioned inconsistently. In an agent setting, missing or uneven confirmation guidance can enable unintended posting, deletion, follows, DMs, profile edits, or community actions from ambiguous or malicious prompts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This documentation normalizes large-scale extraction, enrichment, and export of X user/tweet data without any visible privacy, consent, acceptable-use, or retention guidance. In a skill explicitly designed for bulk scraping and account analysis, that omission increases the likelihood of misuse for profiling, monitoring, or mass collection of personal data, even if the data is nominally public.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Multiple configuration examples instruct users to place live API keys directly into local config files and headers using placeholders like `xq_YOUR_KEY_HERE`, while only some sections recommend environment-variable interpolation. This increases the risk of accidental secret persistence in plaintext files, backups, screenshots, and version control, which could let an attacker reuse the key to access the Xquik account and perform billable or sensitive API actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document defines write-capable request types for creating tweets, sending DMs, and updating profiles without an explicit warning that these operations modify a connected X account and should require clear user confirmation. In an agent skill intended for automation, this increases the risk that downstream agents or integrators treat these types as routine data operations and perform account-changing actions without adequate consent or safety gating.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The webhook section documents creation and testing of webhooks but does not clearly warn that monitored event data will be transmitted to an external HTTPS endpoint controlled by the configured URL. In this skill's context, that omission can cause inadvertent exfiltration of tweet/event data to third-party infrastructure and may lead users to underestimate the privacy and trust implications of webhook configuration.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.