Back to skill

Security audit

X Social Manager Dist

Security checks across malware telemetry and agentic risk

Overview

This X/Twitter manager is coherent, but it asks for account-level authority, automatic setup, persistent profiling, and local agent changes that users should review carefully.

Install only if you are comfortable giving an agent meaningful control over your X/Twitter account. Preinstall and review uv/twitter-cli yourself, confirm which account is authenticated, require fresh approval for every post, reply, DM, delete, like, follow, or scheduled action, and periodically review or purge the memory and real-replies archive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (18)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs the agent to modify the host environment by installing software and, if needed, executing a remote shell installer via `curl ... | sh`. That exceeds the core task of social-media assistance and creates a supply-chain and arbitrary code execution risk on the user's machine or agent runtime.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill directs the agent to detect its host environment and create sub-agents in IDE- or CLI-specific locations, which expands into modifying local configuration outside the stated X/Twitter management scope. This can lead to persistence, unintended filesystem changes, and broader platform-specific side effects that users may not expect from a social media skill.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The x-feed-researcher is given Bash and explicitly instructed to use curl to download remote media, even though its core purpose is topic research and summarization. That expands the sub-agent from content analysis into arbitrary network/file operations, increasing the blast radius if prompt injection, malicious URLs, or unsafe command composition occur during research workflows.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The x-intel-updater is authorized to persistently modify memory and strategy files as part of an automated workflow, creating autonomous state-changing behavior beyond simple content assistance. In the presence of bad inputs, prompt injection, or incorrect analysis, it can silently corrupt long-lived profile data and steer future agent behavior without clear user review.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that the skill automatically researches the user's X account and relies on an active browser session for cookie-based authentication, but it does not clearly explain what data is collected, how browser-authenticated actions are performed, what is stored in local files, or what privacy/security boundaries apply. In a skill that can read/write files, run commands, and access social accounts, this omission increases the risk of users unknowingly exposing account data, behavioral history, or performing unintended authenticated actions.

Vague Triggers

High
Confidence
89% confidence
Finding
The trigger description includes very common terms such as "post," "content," "growth," "brand," and "DM outreach," making accidental invocation likely in unrelated contexts. Because this skill also performs account analysis, file updates, CLI actions, and potential posting behavior, overbroad triggering materially increases the chance of unintended execution of sensitive workflows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill collects, analyzes, and stores account data, replies, engagement metrics, competitor information, and persistent memory without a clear user-facing privacy notice in the description. Users may not realize the breadth of behavioral profiling and retention performed, leading to consent and data-handling risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The reference documents `twitter delete TWEET_ID` as a one-step destructive action with no surrounding warning, confirmation pattern, or guidance to require explicit user approval before deletion. In a social-media management skill, this increases the risk that an agent could delete posts based on ambiguous instructions or workflow errors, causing account, reputational, or business harm.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The workflow explicitly says to run when the user asks to plan content, or to proactively suggest it during engagement sessions, which broadens activation beyond a clearly bounded user request. In an agent setting, this can cause unsolicited collection and analysis of feed and competitor data, increasing the chance of overreach, privacy issues, and unintended actions based on weak intent signals.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The file states that its contents are automatically re-ranked, expanded during onboarding, and maintained by agent workflows without any visible trust boundary, approval step, or warning that the skill's behavioral guidance may be modified automatically. In an agent skill, silent prompt/content mutation can become a supply-chain style risk: compromised update logic or poisoned inputs could alter future outputs and strategies without operator awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file explicitly directs the agent to continuously append interaction-derived data and never delete old entries, creating indefinite retention of behavioral, engagement, and potentially identifying information. In this skill context, that is risky because the memory includes real replies, audience intelligence, leads, and account history without any consent, minimization, retention limit, or privacy notice.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file explicitly instructs the agent to collect and store the user's exact Twitter/X replies verbatim for ongoing use, but it provides no notice, consent flow, retention limit, or deletion policy. Even if the source content is publicly posted, aggregating it into a persistent archive for style modeling increases privacy risk and can expose sensitive behavioral patterns, personal data, or account-linked context beyond the user's expectations.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases for x-reply-crafter are broad enough that ordinary conversation about replying could activate the sub-agent unintentionally. Misrouting tasks to a specialized prompt can expose unnecessary context and produce actions or outputs the user did not intend, especially in multi-agent environments.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The x-feed-researcher can be triggered by generic research-related phrases, which risks unnecessary activation of a more capable sub-agent with Bash access. In this skill, unintended activation is more dangerous because the researcher has external-search and shell-oriented responsibilities, increasing exposure to untrusted content and tool use.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The x-post-composer trigger phrases are somewhat generic and may cause the post-writing agent to activate when the user is only brainstorming or discussing content. While lower risk than shell-enabled agents, unintended routing can still leak user profile/strategy context and produce off-target outputs.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The x-intel-updater can be activated by broad phrases like updating strategy or what's working, which may unintentionally invoke a write-capable sub-agent. Because this agent modifies persistent files, accidental activation has higher consequence than a read-only assistant and can alter long-term behavior or records without clear consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file describes automatic updates to strategy artifacts without any user-facing warning or approval gate. Silent persistent modification is risky in agent systems because users may not realize future outputs are being shaped by altered memory/strategy files, and poisoned or low-quality updates can accumulate over time.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The file mandates a single rigid writing style and explicitly requires all replies to conform to it, without any user opt-in or allowance for different contexts. In a social-media manager skill, this can override user intent, produce deceptive impersonation-style output, and pressure the system to preserve artificial quirks or mismatched tone even when the user wants a different voice.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
references/subagent-definitions.md:26