File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/auth.js:83
- Evidence
headers.Authorization = [REDACTED](params.config.clientId, clientCredential);
Security audit
Security checks across malware telemetry and agentic risk
This X/Twitter plugin requests powerful account access, but its files consistently describe and implement that purpose with local OAuth/session storage and approval-gated publishing.
Install only if you intend to connect your own X developer app and allow this plugin to read account data and publish approved drafts. Keep the session file in a private path, treat it like a password because it may contain refresh tokens, and require human review before using the approve and publish tools.
61/61 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal
headers.Authorization = [REDACTED](params.config.clientId, clientCredential);