Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- scripts/keyapi-api.mjs:127
Security audit
Security checks across malware telemetry and agentic risk
The skill is a disclosed KeyAPI/Twitter analysis helper that uses a local API token and optional shell-profile setup, with no hidden exfiltration or destructive behavior found.
Install this if you are comfortable using a KeyAPI token and sending Twitter/X lookup queries and returned data to KeyAPI. Prefer the interactive setup command over the --token form to avoid exposing the token in shell history or process lists, review the managed shell-profile entry it creates, and approve clear limits before broad follower, following, or social-graph reports.
63/63 vendors flagged this skill as clean.
Detected: suspicious.env_credential_access, suspicious.secret_argv_exposure