X Bookmarks

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real X/Twitter bookmark tool, but it asks for and stores sensitive account credentials and includes write-capable bookmark access despite read-only framing.

Install only if you are comfortable giving the skill access to private X bookmarks and sensitive X authentication material. Prefer a read-only OAuth app unless you intentionally need unbookmarking, protect .env.bird and ~/.config/x-bookmarks files, avoid using --print-token in logged terminals, verify bird-cli before using browser-cookie access, and enable cron digests only when you understand how to disable them and revoke stored tokens.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The README promises the agent can take downstream actions such as cloning repos, testing software, and comparing trading strategies, which materially expands the perceived authority and execution scope of a bookmark skill. This is dangerous because users or orchestration systems may rely on the README as authorization context and trigger unrelated high-risk operations based on bookmark content, enabling unintended code execution or sensitive decision support flows.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The skill is presented as bookmark management, but the workflows expand into taking action on bookmarked content beyond retrieval and summarization. This broadening increases the chance that an agent will perform unintended follow-on operations from untrusted bookmark content, expanding the skill's effective authority without clear user consent.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Authorizing the agent to test repositories, set up tools, analyze code, or implement actions based on bookmarked content is a dangerous scope expansion. Bookmarks are untrusted input; turning them into execution or setup instructions creates a path for prompt injection, supply-chain exposure, or execution of malicious code/tools referenced in tweets.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The documentation claims read-only X access, yet it also includes an unbookmark command that changes the user's remote account state. This mismatch is security-relevant because users may grant or invoke the skill believing it cannot perform remote writes when it actually can.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The security section says credentials are never transmitted to third parties, but the X API backend necessarily sends tokens to X/Twitter services and the bird path relies on browser-derived authentication material. Misstating credential transmission and trust boundaries can cause users to make unsafe authorization decisions based on false assurances.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The helper requests the bookmark.write scope even though the skill is described mainly for reading, summarizing, and analyzing bookmarks. Overbroad OAuth scopes violate least privilege and, if the token is exposed or the tool is misused, enable modification of the user's bookmarks in addition to read access.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The --print-token option exposes the raw bearer access token to stdout, where it may be captured by shell history, logs, terminal recording, process supervisors, or other tooling. Any party obtaining that token can impersonate the user to the X API within the granted scopes.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README encourages scheduled automatic bookmark checks and digest delivery without warning about the privacy sensitivity of bookmarks, token/cookie handling, retention, or where digests may be stored or sent. In this context, bookmarks can reveal private interests, research, or confidential workflows, so normalizing unattended collection increases the risk of silent data exposure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The instructions tell users to extract `auth_token` and `ct0` from browser DevTools and optionally persist them in shell environment files without any warning that these are highly sensitive session credentials. Anyone who obtains these values can impersonate the user's X session, access account data, and potentially perform actions as that user.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The document states that OAuth tokens are saved automatically to `~/.config/x-bookmarks/tokens.json` but does not warn users that this file contains bearer/refresh credentials requiring protection. Local token files are a common target for malware, multi-user host leakage, backups, and accidental disclosure.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The client secret is stored on disk in config.json without setting restrictive file permissions and without any warning to the user. On multi-user systems or in lax environments, this can expose a confidential OAuth client secret to other local users or backup/logging systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal