X OAuth API

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real X API client, but it needs Review because it can post or delete from a live account and its declared scope conflicts with implemented search and mentions features.

Install only if you are comfortable giving it OAuth authority over the connected X account. Treat search and mentions as available despite the frontmatter wording, require explicit review before posts or threads, verify tweet IDs before deletion, and avoid the automation template unless unattended public posting is intentional.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The skill description says it is not for search, mentions, or media uploads, but the documentation advertises those capabilities and the finding references additional automation/heartbeat behavior. This mismatch can mislead reviewers and users about what the skill can do, causing it to be approved or invoked in contexts that permit broader data access, monitoring, or posting than expected.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The README advertises `mentions` and `search` functionality even though the skill metadata explicitly states the skill is not for search or mentions. This scope mismatch can cause users or higher-level agents to invoke capabilities the skill is not supposed to expose, increasing the risk of unsafe delegation, policy bypass, or unexpected API usage and billing behavior.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The manifest explicitly says the skill is not for search, mentions, or media uploads, while the body documents commands for mentions, search, and media attachments. This is a true scope-deception issue because consumers may rely on the top-level declaration when deciding whether the skill is acceptable to install or execute.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The overview normalizes mentions, search, and media posting despite later caveats that these require a paid tier and despite the manifest saying the skill is not for them. While this is primarily a documentation integrity problem, it increases the risk of unauthorized or unexpected network requests and review bypass through confusing capability presentation.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The skill metadata explicitly says it is not for search or mentions, yet the implementation includes both capabilities. This scope mismatch is dangerous because agents and users may rely on the manifest to make trust and permission decisions, while the code can still access additional data sources and perform unintended surveillance-like actions.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script is not just a user-invoked helper for posting to X; it is explicitly designed as an automated posting template with persistent state, rate controls, and autonomous content generation. This broadens capability beyond the declared skill context and increases the risk of unattended posting, policy violations, or abuse if invoked by another scheduler or automation layer.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README documents commands that post, thread, and delete tweets without clearly warning that these actions perform live mutations on the user's real X account. In an agent setting, missing side-effect warnings can lead to accidental public posting or deletion, causing reputational damage, loss of content, and unintended account activity.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: Documenting destructive deletion functionality without any confirmation, dry-run, or warning guidance creates a real safety risk. In an agent context, ambiguous user prompts or tool misuse could lead to irreversible deletion of tweets without sufficient operator awareness.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The `delete` command performs an irreversible destructive action immediately, with no confirmation prompt, dry-run mode, or safeguard against accidental invocation. In an agent setting, this increases the chance of unintended content deletion from ambiguous instructions, prompt injection, or simple operator error.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal