Production-ready Twitter/X data and automation for autonomous agents

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about its risks, but it still can send Twitter credentials to a third-party service and perform account-changing actions, so it belongs in Review.

Install only if you trust AIsa with your API key, search queries, and any Twitter credentials you choose to provide. Prefer read-only use. Do not use the write features with a primary, verified, business-critical, or high-value account; if write access is necessary, use a dedicated low-value automation account with a unique password and review provider retention, revocation, and account-safety practices first.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (27)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill declares no explicit permissions despite clearly requiring environment access for `AISA_API_KEY` and network access to `api.aisa.one`. This weakens sandboxing and user understanding, making it easier for a host agent or operator to underestimate the skill's real capabilities and approve execution without appropriate restrictions.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The skill is presented as a read-only Twitter monitoring/search tool, but the documented behavior includes credentialed login to a third-party service and write actions such as posting, liking, retweeting, and profile updates. This is dangerous because users and automation frameworks may grant trust based on the benign description while the skill can perform materially riskier actions and transmit highly sensitive credentials externally.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The document explicitly states that write functionality and credential-based login still exist while the skill branding has been shifted to a safer monitoring-focused presentation. This mismatch can mislead users and downstream reviewers into underestimating the presence of credential transmission and account-manipulation features, increasing the chance of unsafe deployment or trust decisions.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The 'safe operations by default' framing conflicts with the file's own admission that high-risk write operations still transmit Twitter credentials to a third-party API. Even with warnings, minimizing this fact in top-level descriptions is a form of security-significant misrepresentation that can cause users to install or authorize the skill under false assumptions.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The documentation explicitly preserves write capabilities such as login, post, like, and retweet even though the skill is marketed as a search/monitoring tool with 'safe read-only operations by default.' This creates a capability/expectation mismatch that can mislead users and downstream platforms into enabling credentialed or account-modifying actions in a package whose stated purpose does not require them.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The documented engagement features are unnecessary for the stated use case of search, monitoring, trend tracking, and social listening, so they expand the attack surface without functional justification. In this context, retaining login and posting actions is more dangerous because users seeking passive intelligence gathering may not expect the skill to handle credentials or perform external state-changing actions.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The README explicitly documents write-capable Twitter actions and states that account credentials, including email, password, and proxy, are transmitted to a third-party API. That is inconsistent with a skill positioned as a search/monitor command center with safe read-only behavior by default, and it materially expands the trust boundary to include full social-media account control.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: Account-modifying capabilities such as posting, liking, retweeting, and updating profiles are not justified by a social listening/search/monitoring use case. In this context, these actions create unnecessary risk of account takeover, unauthorized posting, reputational damage, and abuse, especially because the README already indicates authentication material is shared with an external provider.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The security document explicitly documents and conditionally endorses write/automation features such as login, posting, liking, retweeting, and profile updates, even though the skill is described as a read-only search/monitor tool. This expands the apparent capability boundary of the skill and normalizes risky account-control behavior through a third-party API, creating a mismatch that can mislead operators and increase the chance of credential exposure or policy-violating use.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The documentation describes transmitting Twitter email, password, and proxy details to a third-party API for automation, which is far beyond what a search/monitor command center needs. Even as documentation, this is dangerous because it legitimizes credential sharing for unnecessary functionality and can lead users to expose account secrets to an external service under the guise of this skill.

Intent-Code Divergence

Low

Confidence: 82% confidence
Finding: The document presents read operations as involving 'No sensitive data transmission' and being safe for production use, while later discussing supported operations that do involve sending credentials and proxy data. This inconsistency can cause users to underestimate risk, misunderstand the actual trust boundary, and apply the skill in environments where sensitive data handling would otherwise be prohibited.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The document explicitly confirms that write operations still require sending Twitter credentials to a third-party API, even while repositioning the skill as safe/read-only. Warnings and documentation do not mitigate the core issue: credential collection and relay to an external service materially increase account-compromise, takeover, and misuse risk.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: For a skill described as search-and-monitor, retaining posting/liking/retweeting via third-party credential submission is unnecessary and expands capabilities well beyond the stated purpose. That mismatch increases the chance of deceptive packaging, unintended credential exposure, and misuse of accounts for spam or unauthorized actions.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The documentation emphasizes safe monitoring while also retaining intentionally preserved high-risk write operations, creating a misleading trust signal. This can cause users or downstream reviewers to underestimate the danger and approve or deploy the skill in contexts where credential-handling behavior is unacceptable.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The manifest's claim that the skill is 'safe read-only operations by default' is misleading because the same file documents login, posting, liking, retweeting, and profile updates. Even if these actions are optional, describing the skill as effectively safe/read-only can cause unsafe deployment assumptions and lower scrutiny around account-compromising flows.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: This script performs repository cleanup, deletion, secret scanning, and packaging preparation, which are unrelated to a Twitter/X search and monitoring skill advertised as read-only. That mismatch is dangerous because it expands the skill's capabilities into destructive local filesystem operations that a user would not reasonably expect from the declared functionality.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The script recursively deletes files and directories across the repository using broad find patterns and rm -rf, despite the skill being described as read-only social listening. In this context, the capability is unjustified and dangerous because accidental or unauthorized execution can destroy project data, user files within the working tree, and evidence needed for review.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: Secret scanning and package-distribution preparation are not part of the declared social listening function, so their presence indicates unnecessary access to repository contents. While not inherently malicious, these features increase the skill's scope and can expose sensitive filenames, content matches, and packaging metadata from the local environment.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file explicitly implements credential-submitting and write-capable Twitter operations even though the skill is described as a read-only search/monitor tool. This creates a dangerous capability mismatch: users or downstream agents may trust the skill as passive while it can exfiltrate account credentials to a third-party service and perform account actions.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code contains automation methods for logging into Twitter and performing account actions that are unnecessary for a social listening or intelligence-gathering skill. In this context, these functions materially expand the attack surface by enabling credential handling, impersonation, spam, and unauthorized account activity if invoked by an agent or user who expects read-only behavior.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The documentation says read operations require no authentication and no credentials are transmitted, but the implementation always requires an AISA_API_KEY from the environment or constructor. This mismatch can mislead reviewers and operators about what secrets are needed and what data is sent off-box, undermining informed consent and safe deployment decisions.

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The guidance to use 'human-like behavior patterns' for automated activity is effectively advice for reducing detection of platform automation controls. That increases abuse potential, encourages evasive behavior, and can facilitate sustained policy-violating account automation beyond the advertised read-only use case.

External Transmission

Medium

Category: Data Exfiltration
Content: #### Step 1: Account Login (Async Operation) ```bash curl -X POST "https://api.aisa.one/apis/v1/twitter/user_login_v3" \ -H "Authorization: Bearer $AISA_API_KEY" \ -H "Content-Type: application/json" \ -d '{
Confidence: 99% confidence
Finding: https://api.aisa.one/

External Transmission

Medium

Category: Data Exfiltration
Content: #### Post a Tweet ```bash curl -X POST "https://api.aisa.one/apis/v1/twitter/send_tweet_v3" \ -H "Authorization: Bearer $AISA_API_KEY" \ -H "Content-Type: application/json" \ -d '{
Confidence: 94% confidence
Finding: https://api.aisa.one/

External Transmission

Medium

Category: Data Exfiltration
Content: #### Like a Tweet ```bash curl -X POST "https://api.aisa.one/apis/v1/twitter/like_tweet_v3" \ -H "Authorization: Bearer $AISA_API_KEY" \ -H "Content-Type: application/json" \ -d '{
Confidence: 93% confidence
Finding: https://api.aisa.one/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal