Trust Assessment
jackwener/twitter-cli:root received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 11 findings: 4 critical, 5 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Credential harvesting, Unsafe deserialization / dynamic eval.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on March 11, 2026 (commit 1c0e4b0c). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings11
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | twitter_cli/auth.py:458 | |
| CRITICAL | Credential harvesting macOS Keychain credential access Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | twitter_cli/auth.py:60 | |
| CRITICAL | Shell Command Injection via User-Provided Cookie String The skill's authentication method 'Method C' instructs the agent to parse a user-provided full browser cookie string using shell commands. The `FULL_COOKIE` variable is directly interpolated into `echo "$FULL_COOKIE" | grep ... | cut ...` without proper sanitization. If a malicious user provides a cookie string containing shell metacharacters (e.g., `"; rm -rf /; echo "auth_token=..."`), arbitrary commands could be injected and executed by the agent. Avoid parsing user-provided strings with shell commands. Instead, use a robust, language-specific parser (e.g., Python's `http.cookies` module) to safely extract values from the cookie string. If shell execution is unavoidable, ensure all user-controlled input is strictly sanitized or properly quoted to prevent command injection. | Static | SKILL.md:70 | |
| CRITICAL | Direct Request for Full Browser Cookie String (Credential Harvesting Risk) The skill's authentication method 'Method C' explicitly instructs the user to manually extract their entire browser cookie string (containing `auth_token`, `ct0`, and other session data) and provide it to the agent. While a warning about not sharing cookies is present, the workflow design requires the user to expose these highly sensitive credentials to the agent. This creates a significant risk of credential harvesting or accidental data exfiltration if the agent or its operating environment is compromised or misconfigured. Avoid requesting full browser cookie strings directly from users. Prioritize secure, automated browser cookie extraction (Method A) or the use of specific, less privileged tokens via environment variables (Method B). If a full cookie string is deemed absolutely necessary, implement stringent security controls to ensure it is never logged, stored, or transmitted insecurely, and is immediately processed into specific tokens. | Static | SKILL.md:55 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | twitter_cli/auth.py:253 | |
| HIGH | Unsafe deserialization / dynamic eval Python variable indirection to hide dangerous calls Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | twitter_cli/cli.py:758 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_run_extract_command'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | twitter_cli/auth.py:458 | |
| HIGH | Excessive Permissions: Access to Browser Cookie Stores and Shell Execution The skill requires extensive permissions, including the ability to automatically extract cookies from various browser profiles (via `browser-cookie3`) and to execute arbitrary shell commands (as demonstrated by the cookie parsing example in `SKILL.md`). This grants the agent a high level of privilege to access sensitive local data (browser cookies, OS keychains) and execute system commands, significantly increasing the attack surface and the potential impact of a successful exploit or agent compromise. Re-evaluate the necessity of full browser cookie extraction and broad shell execution capabilities. Implement the principle of least privilege, limiting the agent's access to only what is strictly required. Explore sandboxing or containerization for the agent's execution environment to isolate it from sensitive system resources. Clearly document the security implications of granting such permissions to users. | Static | SKILL.md:20 | |
| HIGH | LLM analysis found no issues despite critical deterministic findings Deterministic layers flagged 4 CRITICAL findings, but LLM semantic analysis returned clean. This may indicate prompt injection or analysis evasion. | LLM | (sanity check) | |
| MEDIUM | Unpinned Python dependency version Dependency 'browser-cookie3>=0.19' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible. | Dependencies | pyproject.toml | |
| INFO | Unpinned Dependencies in pyproject.toml The `pyproject.toml` file specifies minimum versions for several critical dependencies (e.g., `browser-cookie3`, `curl_cffi`, `xclienttransaction`) using `>=` operators instead of exact version pinning. While common, this practice can introduce supply chain risks if a new minor or patch version of a dependency introduces a vulnerability or breaking change. `browser-cookie3` and `curl_cffi` are particularly sensitive as they handle browser data and network requests, respectively. `xclienttransaction` is also a custom dependency, adding a layer of trust. Consider using exact version pinning for all dependencies or implementing a lock file (e.g., `poetry.lock`, `pip-tools` generated `requirements.txt`) to ensure deterministic builds and prevent unexpected dependency updates. Regularly audit all dependencies for known vulnerabilities. | Static | pyproject.toml:20 |
Scan History
Embed Code
[](https://skillshield.io/report/0b01bbeb7096dd13)
Powered by SkillShield