Security audit

X Manager

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned, but it can use stored X/Twitter credentials to publish or engage from an account without clear approval or credential-safety safeguards.

Install only if you are comfortable giving this skill X/Twitter API credentials that can read and modify an account. Prefer a dedicated low-privilege token, restrict credential-file permissions, verify the USER_ID/account before every write action, and avoid auto-interaction unless you have external review, rate limits, logs, and a clear disable path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill documentation describes capabilities that require local file access for credential/state handling and network access to Twitter/X, but no permissions are declared. Missing permission declarations reduce transparency and can cause users or platforms to underestimate the skill's ability to access sensitive files and communicate externally. In this context, the risk is elevated because the skill handles account credentials and can take actions on behalf of users.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill instructs storing per-user Twitter API credentials in local JSON files under predictable paths. Persisting secrets this way creates a substantial risk of credential theft, accidental disclosure, insecure backups, or cross-user access if filesystem permissions are weak or user IDs are guessable. Because these are write-capable account tokens, compromise could lead to unauthorized posting, reading, and account abuse.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation tells users to store sensitive Twitter credentials locally but provides no warning about the security implications. Users may unknowingly persist highly privileged tokens in insecure locations, increasing the chance of compromise and unauthorized account actions. The context makes this more dangerous because the tokens enable live access to social media accounts and associated data.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill documents an auto-interaction feature capable of autonomous replies without clearly warning users that it can take actions on their behalf. Lack of explicit notice and consent can lead to unintended posting, spammy behavior, reputational harm, or policy violations if the automation is misconfigured or triggered unexpectedly. In this context, autonomous social-media actions are materially risky even if technically intended.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This function performs a state-changing action on a user's X account by retweeting a tweet immediately when called, with no confirmation, preview, policy gate, or authorization check beyond possession of stored credentials. In an agent-skill context, that makes unintended or prompt-induced social actions more likely, which can cause reputational damage, spam-like behavior, or abuse of the connected account.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.