Is bubblyjove/falcon safe?

Every write and engagement command (tweet, reply, quote, like, unlike, retweet, bookmark, follow, unfollow) constructs a JSON body containing the user's TWITTER_COOKIE and POSTs it to api.twexapi.io. This commercial intermediary has persistent access to the user's Twitter authentication credential. If TwexAPI is compromised or behaves maliciously, the cookie could be replayed to impersonate the user independently of the skill.

The .claude/settings.local.json grants Bash(chmod:*), allowing the chmod command with arbitrary arguments. While the intent is to make falcon.sh executable, this permission could be exploited by a compromised agent to chmod sensitive files (e.g., making ~/.ssh/authorized_keys world-writable).

All Bash permission entries in settings.local.json reference /home/user/Documents/Falcon/falcon, a developer's local machine path that does not exist at the actual install location (/home/oc-exec/skill-under-test/). The catch-all Bash(/home/user/Documents/Falcon/falcon:*) entry will therefore never match, rendering most explicit permission grants ineffective. This is a publishing artifact indicating the settings file was not reviewed before release.

The skill routes 100% of Twitter interactions through api.twexapi.io rather than Twitter's official API. TwexAPI observes the full content of every search query, user lookup, tweet read, and authentication token. Users have no visibility into TwexAPI's data retention, logging, or subprocessor agreements. The skill's security posture is entirely dependent on this third party.

The skill includes commands that post public tweets, reply to tweets, quote-tweet, like, retweet, bookmark, follow users, and unfollow users. Although SKILL.md instructs the agent to confirm before write commands, an agent that ignores this instruction (due to prompt injection in tweet content, hallucination, or misconfiguration) could take unintended irreversible social media actions on the user's account.

The audit detected OPEN+ACCESS syscalls on /home/oc-exec/.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials at two points: before skill installation (audit timestamp 1771926642.240, consistent with canary file placement) and after audit completion (1771926665.935, consistent with integrity verification). All accesses are CLOSE_NOWRITE. falcon.sh has no code that reads any of these files. Canary integrity check explicitly passes. These accesses are attributed to the oathe monitoring infrastructure, not the skill.

The api_get, api_post, and api_delete functions write the Authorization header to a mktemp-created file (chmod 600) and pass it to curl via -H @file, ensuring TWEXAPI_KEY never appears in the process argument list (visible via /proc/*/cmdline or ps). A registered EXIT trap deletes all temp files on script exit.

All observed network connections during installation are accounted for: github.com (140.82.121.4:443) for the git sparse-checkout clone, and Ubuntu/Canonical servers (91.189.91.49:443, 185.125.188.58:443) for standard Ubuntu MOTD update checks triggered by SSH session establishment. No connections to api.twexapi.io or Twitter domains occurred during installation.