Is lobstergeneralintelligence/x-api safe?

The audit source collection command used a glob pattern matching '.js' files, which does not match '.mjs' ES module files. The file scripts/x-post.mjs is the sole executable in this skill — it handles credential loading, OAuth 1.0a signing, and the Twitter API call. Without reviewing its source, it is impossible to verify the absence of credential harvesting, secondary exfiltration endpoints, dynamic code loading, or any other malicious behavior. This is the highest-risk unreviewed artifact in the skill.

At audit timestamp 1771908228.024 (approximately 6 seconds after skill files were copied into place), auditd PATH records show sequential access to six categories of sensitive credentials: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json. None of these correspond to the X API credentials this skill is documented to use (~/.clawdbot/secrets/x-api.json or X_API_KEY env vars). The EXECVE log at that timestamp does not clearly attribute these accesses to a specific process. The access pattern — six distinct credential types in one burst — is consistent with a credential enumeration sweep.

The skill reads X API consumer key, consumer secret, access token, and access token secret and — per its documented behavior — transmits these as OAuth 1.0a signed requests to the Twitter API. Because x-post.mjs source was not captured, it cannot be verified that credentials are transmitted only to api.twitter.com and not additionally logged, sent to a secondary host, or included in URL parameters that could be captured by intermediaries.

Canary/honeypot files were opened and read (confirmed by OPEN+ACCESS+CLOSE_NOWRITE inotify events and corroborating auditd PATH records) at two distinct times. The first burst at 1771908210.662 is consistent with audit system baseline setup occurring before the clone. The second burst at 1771908228.024 occurs after installation completes and is not clearly explained by audit system activity in the EXECVE log at that timestamp. The canary integrity check confirms file contents were not modified and no exfiltration was detected by the honeypot token mechanism.

The sequential access of .env, SSH private key, AWS credentials, npm auth token, Docker registry auth, and GCloud application credentials in a single burst is broader than any reasonable legitimate purpose for an X API posting skill. If this access originated from skill-related code rather than the audit system, it would represent an attempt to harvest the broadest available credential set from the host environment.

The skill enables the hosting agent to post to X without per-post user confirmation. In a multi-skill agent environment, content from web browsing, file reading, or other skills could contain prompt injection payloads that trigger the x-api skill to post attacker-controlled content. The user's X account and OAuth credentials would then be used to distribute spam, misinformation, or reputationally damaging content without explicit user authorization for that specific post.

Full review of SKILL.md found no prompt injection attempts. The file contains only standard Markdown documentation: a frontmatter header, usage instructions, credential setup steps, example shell commands, and troubleshooting notes. No hidden text, invisible Unicode codepoints, HTML comments, encoded instructions, persona directives, or references to external URLs for the agent to fetch were found.

The scripts/package.json declares no preinstall, postinstall, prepare, or any other lifecycle hooks. npm install would only fetch twitter-api-v2 and its dependencies without executing any skill-supplied code. The twitter-api-v2 package (^1.19.0) is a well-maintained open-source library for Twitter API v2 access.