Post to X Enhanced

Security checks across malware telemetry and agentic risk

Overview

This skill is a real X/Twitter publishing automator, but it needs Review because it can control an authenticated Chrome session, use desktop clipboard/keystrokes, and publish public content with weak consent boundaries.

Install only if you intentionally want an agent to automate a logged-in X/Twitter account. Use a dedicated Chrome profile, avoid --submit unless you have reviewed the exact post/article, do not feed it untrusted markdown with remote images, expect clipboard contents to be overwritten during fallback workflows, and do not allow automatic Chrome process killing without reviewing what will be terminated.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (26)

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: Clipboard manipulation is broader than what is needed for posting to X and can expose or overwrite sensitive clipboard contents such as passwords, tokens, or copied confidential text. In a browser-automation skill with anti-bot bypass and automation fallbacks, this extra capability increases the risk of unintended data access and side effects on the host system.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill is presented as posting to X, but the documentation expands into broader local-system operations such as clipboard access, accessibility checks, and runtime/environment inspection. Those side effects are security-relevant because they touch sensitive host resources beyond the core publishing task.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document claims the scripts only fill content for manual review, yet it separately instructs the agent to automatically kill Chrome/Chromium debugging instances and retry without asking the user. Unprompted process termination is a significant side effect that can disrupt unrelated browser sessions, automation tasks, or data in progress.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Automatically terminating Chrome CDP instances is not necessary for the user-facing goal of preparing a post, and it affects system state outside the skill's own boundary. Because the command uses broad process-name matching, it may interfere with unrelated debugging sessions or other tools that rely on Chrome remote debugging.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: This script performs real OS-level input injection by invoking osascript, xdotool/ydotool, and PowerShell SendKeys to paste clipboard contents into whichever application is frontmost or a caller-specified target. That capability is broader than 'post to X' and can misdirect sensitive clipboard data into arbitrary apps, chats, terminals, or privileged dialogs if focus is wrong or if the helper is reused outside its intended flow.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: This helper actively searches Chrome user-data directories, reads DevToolsActivePort files, inspects the local process list, and attaches to already-running Chrome instances over the DevTools protocol. In a skill whose stated purpose is only posting to X, that substantially expands access to the user's live browser context, including authenticated sessions, open tabs, and browsing state, creating a real risk of unauthorized data access or unintended actions beyond tweeting.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The file is explicitly built to compose and publish X Articles at https://x.com/compose/articles, which is materially broader and different from a skill described as posting tweets/content to X. This scope mismatch is dangerous because users or calling agents may invoke it expecting a simple post action, but the code can create long-form content, upload media, and publish to a different surface with different consequences.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The code searches for and reuses an existing Chrome DevTools port for the user's profile, then attaches a CDP session with broad browser automation powers. That gives the skill effective control over the user's authenticated browser context well beyond what is necessary to post content, enabling access to unrelated tabs, cookies, session state, and any actions possible through DevTools if misused or compromised.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The code uses macOS-wide automation primitives (`osascript`, `System Events`, `pbcopy`) and clipboard-based workflows to drive Chrome and paste content. These mechanisms act outside the browser tab boundary, can interfere with or overwrite the user's global clipboard, and may target the wrong active window or application if focus changes, creating unintended data exposure or unintended input injection.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: This utility invokes external executables via shell-enabled subprocesses ('bun' and 'npx ... bun') even though the skill's purpose is posting to X. Because arguments are forwarded into a shell and 'npx' may resolve packages dynamically from the environment/network, this expands the attack surface to command execution and supply-chain abuse beyond what users would reasonably expect from a posting skill.

Scope Creep

Medium

Confidence: 92% confidence
Finding: The manifest claims no permissions while the description clearly indicates the skill performs real browser automation with Chrome/CDP to publish content to X. This creates a transparency and policy-enforcement gap: reviewers, users, or permission-based controls may underestimate the skill's ability to drive an authenticated browser session and perform external actions on the user's behalf.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README openly advertises bypassing anti-bot detection and controlling a real browser session without disclosing the security and compliance implications of that behavior. In this context, omission of warnings is dangerous because browser-control side effects can interact with authenticated sessions, trigger unintended clicks/navigation, and expose the user's account to suspension or abuse.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README openly advertises bypassing anti-bot detection and controlling a real browser session without disclosing the security and compliance implications of that behavior. In this context, omission of warnings is dangerous because browser-control side effects can interact with authenticated sessions, trigger unintended clicks/navigation, and expose the user's account to suspension or abuse.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Automatic file-path detection that reads local file contents from a text argument can cause sensitive local data to be ingested and potentially posted if a user or upstream agent passes a path unintentionally or maliciously. In a skill whose purpose is publishing to X, combining implicit file reads with automated posting creates a clear data-exfiltration path from the local machine to a public platform.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger phrases are broad everyday requests such as 'post to X' or 'tweet,' which can lead to accidental invocation in contexts where the user did not intend to grant browser automation, file access, or clipboard/keystroke actions. Overbroad activation increases the chance of the skill being run with surprising side effects.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The instructions explicitly allow killing Chrome processes and retrying automatically, without warning or confirmation. That creates a dangerous control path where the agent can alter the user's running applications and potentially disrupt active work or other automations with no consent checkpoint.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The manifest explicitly advertises automated posting to an external social-media account, browser automation, and automatic media upload, but does not disclose any user-facing warning, confirmation step, or account-impact notice. For a skill that can publish content to a real third-party service, this omission increases the risk of unintended posting, account misuse, privacy leakage through uploaded media, and reputational damage if invoked without clear user awareness.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation states that remote images are automatically downloaded to a temp directory, but it does not clearly warn users that this triggers outbound network requests to third-party servers and stores fetched content locally. In a publishing skill that may process untrusted markdown, this can expose IP/network metadata, create unexpected disk artifacts, and fetch attacker-controlled content without informed consent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide explains that the publisher uses a real Chrome instance with a persistent profile and saved login, but does not prominently frame this as a security-sensitive behavior. Using an authenticated persistent browser profile increases the risk of unintended account actions, session exposure, and interaction with existing local browser state if the skill is run on shared or sensitive systems.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation shows `--submit` as a normal usage option, but does not strongly emphasize that it performs a live publish to the user's X account and changes account state. In an agentic context, insufficiently prominent warning around irreversible external actions can lead to accidental posting of drafts, sensitive content, or attacker-supplied material.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation instructs the agent to manipulate the system clipboard, bring Chrome to the foreground, and send real paste keystrokes, but it does not clearly warn that these actions can overwrite the user's clipboard and inject input into whatever app is frontmost if focus changes. In an agent skill, this is dangerous because it can cause unintended data disclosure or actions outside X/Twitter, especially on a live desktop where window focus may shift unexpectedly.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The parser automatically fetches any HTTPS image referenced in markdown/frontmatter, causing network egress and processing of untrusted remote content without explicit opt-in. In an agent skill that handles user-supplied markdown for publishing, this can leak that the host accessed attacker-controlled URLs, expose IP/network metadata, and enable SSRF-style access attempts to internal services if redirects or permissive hostname resolution are abused.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: When --submit is supplied, the script directly clicks the publish button after preview without an explicit confirmation step at the moment of publication. In this skill context, publication is an externally visible, potentially irreversible action affecting the user's public account, so the lack of an in-flow confirmation increases the risk of accidental or unauthorized posting.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: When `--submit` is provided, the script proceeds to click the Post button and publish content without an in-flow, last-mile user confirmation step. Because this skill automates a real social-media account and can reuse an existing logged-in Chrome profile, mistaken invocation, prompt confusion, or upstream agent misuse can cause unauthorized or unintended public posting.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The code reads X/Twitter session cookies from the attached browser profile and reconstructs a cookie map containing authentication tokens. Even if used for session verification, accessing auth cookies is sensitive because it exposes credential material that could be repurposed for account takeover or leakage through logs, errors, or downstream code.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal