X tweet publisher

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it posts text and selected media to X using user-provided API credentials, with no hidden behavior found.

Install only if you are comfortable giving this skill credentials that can post from the configured X account. Review text and media paths before running the tweet command, consider using a dedicated account or least-privilege tokens, and avoid storing credentials where other local processes or shared users can read them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The script performs irreversible external actions—uploading local media and publishing content to X—without an explicit warning or confirmation step that data will be transmitted to third-party servers and may become public. In agent or automation contexts, this increases the risk of accidental disclosure of sensitive text, images, or videos through unintended invocation or user misunderstanding.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal