100Critical
This skill uses system-level tools and broad permissions to
Behavior Analysis
Mismatch detected — The skill's description implies full automation of 'posting' to X, but the actual behavior requires the user to manually review and publish the content after the script has prepared it in the browser.
Claims to do
Post to X (Twitter): Posts text, images, videos, and long-form articles to X via real Chrome browser (bypasses anti-bot detection).
Actually does
This skill uses `bun` or `npx` to execute TypeScript scripts that control a real Chrome browser. It accesses local files (images, videos, markdown) and the user's Chrome profile to navigate to `x.com` and pre-fill content for various post types (text, images, videos, quote tweets, long-form articles). It also includes scripts for environment checks and troubleshooting Chrome debug port issues, sometimes using `pkill`.
Skill Info
Namejimliu/baoyu-skills/baoyu-post-to-x
Registrygithub
Versione13092ba2af1
PURLpkg:github/jimliu/baoyu-skills@e13092ba2af1?skill=baoyu-post-to-x
Stars14,596
Installs15,300
Source
SHA-2568d3671a7f092...
SHA-18a724ab21e1b...
MD53ffa2f01fda7...
TLSH8312c7316dd4...
ssdeep96:Yoposi/TC...
Size9,403 bytes
Install
Assessments (5)
AI Agent Traps ↗Clipboard and Keystroke Simulationcriticalcredential harvesting
The skill explicitly uses scripts and external tools (`xdotool`, `ydotool`) to interact with the system clipboard and simulate keystrokes, posing a significant risk for credential harvesting or data exfiltration.
100% confidenceline 103
`scripts/copy-to-clipboard.ts`, `scripts/paste-from-clipboard.ts`, `xdotool` (X11) or `ydotool` (Wayland)
Process Termination Capabilitymediumimpact
The skill includes instructions to terminate Chrome/Chromium processes using `pkill`, indicating a capability that could be abused for resource abuse or denial of service.
90% confidenceline 210
pkill -f "Chrome.*remote-debugging-port" 2>/dev/null;
Operating under User's Authenticated Sessionlowagent impersonation
The skill operates using the user's persistent authenticated session on X, meaning any actions performed by the agent are directly attributed to the user's identity.
90% confidenceline 81
First run: log in to X manually (session saved)
CDP-based anti-bot bypass for external platformmediumtool poisoning
The skill explicitly uses Chrome DevTools Protocol (CDP) to bypass anti-automation detection on X (Twitter). This constitutes circumvention of platform Terms of Service anti-bot measures and could be used to automate actions at scale without platform consent.
75% confidenceline 16
Uses real Chrome with CDP to bypass anti-automation. Posts text, images, videos, and long-form articles to X via real Chrome browser (bypasses anti-bot detection).
Accessibility permission requirement for system controllowprivilege escalation
The skill requires macOS Accessibility permissions for the terminal app, which grants broad system UI control capabilities beyond what is needed for basic posting. This is a significant permission that could be abused by the underlying scripts.
40% confidenceline 100
Accessibility (macOS) | System Settings → Privacy & Security → Accessibility → enable terminal app
Description Mismatchhighdescription mismatch
The skill's description implies full automation of 'posting' to X, but the actual behavior requires the user to manually review and publish the content after the script has prepared it in the browser.
85% confidence
The skill repeatedly states: 'Note: Script opens browser with content filled in. User reviews and publishes manually.' and 'All scripts only fill content into the browser, user must review and publish manually'.
External Configuration Loadingmediummemory poisoning
The skill loads settings from external `EXTEND.md` files located in user-controlled directories, which could be manipulated by an attacker to alter skill behavior or inject malicious configurations.
90% confidenceline 46
test -f .baoyu-skills/baoyu-post-to-x/EXTEND.md && echo "project"
Automatic command execution without user confirmationmediumautonomy abuse
The skill instructs the agent to automatically kill Chrome processes and retry commands without asking the user. This skip-user-confirmation pattern removes human oversight for a destructive system operation (killing processes).
82% confidenceline 213
**Important**: This should be done automatically — when encountering this error, kill Chrome CDP instances and retry the command without asking the user.
Human-in-the-Loop Vulnerabilitylowapproval fatigue
The reliance on manual user review for publishing posts introduces a vulnerability to approval fatigue or social engineering, where a user might inadvertently approve malicious content.
90% confidenceline 218
All scripts only fill content into the browser, user must review and publish manually
Dependencies (1)
baoyu-skills.claude-plugin/marketplace.jsonnot scanned
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/jimliu/baoyu-skills/baoyu-post-to-x)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/jimliu/baoyu-skills/baoyu-post-to-x"><img src="https://mondoo.com/ai-agent-security/api/badge/github/jimliu/baoyu-skills/baoyu-post-to-x.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/jimliu/baoyu-skills/baoyu-post-to-x.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow