Is x-api safe?

https://clawhub.ai/lobstergeneralintelligence/x-api

68
CAUTION

The x-api skill is a Twitter/X posting tool that appears functionally legitimate but carries significant unverifiable risk. The most critical issue is that the primary executable (x-post.mjs) was not captured in the audit evidence, making it impossible to verify the script's actual behavior with credentials and network access. The skill's core design — posting to a public social media platform with OAuth credentials — creates an inherent exfiltration channel that could be exploited by prompt injection from other sources.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 42/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (7)

CRITICAL Opaque executable: x-post.mjs source code not captured -40

The skill ships an executable JavaScript file (x-api/scripts/x-post.mjs) that the agent is instructed to run via 'node'. This file's source code was NOT included in the audit evidence collection. The file listing shows it exists, but its contents are absent from the 'All Source Code' section. This means the actual behavior of the script — what it does with credentials, whether it makes additional network requests, whether it exfiltrates data — is completely unverifiable from this audit.

HIGH Credential access by design with opaque script -35

The skill is designed to read OAuth credentials from environment variables or ~/.clawdbot/secrets/x-api.json. Since the x-post.mjs script source is not available for review, there is no way to confirm the script only reads the intended credentials and only sends them to the X API. The script could read additional environment variables, files, or credentials and exfiltrate them via the API connection or separate network requests.

HIGH Public social media posting enables data exfiltration channel -30

The skill's core functionality — posting to X/Twitter — creates a public exfiltration channel. Any prompt injection from another source (malicious file content, compromised webpage, another skill) could instruct the agent to read sensitive data and post it as a tweet. Unlike private API calls, tweets are publicly visible and indexed, making this an especially dangerous exfiltration vector.

MEDIUM Global npm install recommended -15

The skill instructs the user to run 'npm install -g twitter-api-v2' which installs the package globally, affecting the entire system rather than being scoped to the skill directory. The local package.json uses ^1.19.0 (caret range), which could resolve to a different version than audited.

MEDIUM Behavioral directive to use external CLI tool -18

The skill instructs the agent to use 'bird CLI' for reading Twitter data. This is a soft behavioral directive that could cause the agent to execute an external tool (bird) that may not be installed or audited. While not a traditional prompt injection, it expands the agent's tool usage beyond the skill's own code.

LOW AWS credentials file accessed during install environment setup -20

Filesystem monitoring detected access to /home/oc-exec/.aws/credentials during the install phase. This appears to be from the host environment's shell initialization (sourcing .profile/.bashrc) rather than from the skill itself, but it indicates the install environment has access to sensitive credential files.

INFO All canary files intact 0

Honeypot files designed to detect credential harvesting were not accessed or modified during the audit. This is a positive signal but does not eliminate risk given the opaque x-post.mjs script.