Skip to content

Xquik-dev/x-twitter-scraper

v2.3.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 2mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

advanced-search agent-skill ai-agent data-extraction follower-export mcp
+14 more
mcp-server profile-tweets sdk send-tweets social-media-api social-media-automation tweet-search twitter twitter-api twitter-api-alternative twitter-automation twitter-scraper x-api x-api-alternative

Affected surfaces

auth rbac

Summary

AI summary

Security audit findings resolved with credential handling improvements, prompt injection defense updates, MCP remote usage context, and sensitive data access prompts.

Full changelog

Security

Resolves all 5 findings from the Gen Agent Trust Hub audit (2026-04-13).

Credential Handling (CREDENTIALS_UNSAFE)

  • Add credentialProxy and credentialProxyScope to security metadata
  • New "Credential Handling" section with 5 agent rules: confirm before sending, never log/echo/store/reuse credentials, never auto-retry credential endpoints
  • Security notes on POST /x/accounts and POST /x/accounts/{id}/reauth endpoints
  • Remove misleading "never handles raw credentials" claim — was about API key injection, not X account credentials

Prompt Injection Defense (PROMPT_INJECTION)

  • Replace blanket "trust the docs" override with scoped version: docs win on endpoint params, rate limits, and pricing only — security rules in the skill always take precedence over external content
  • Add sensitiveDataEndpoints and sensitiveDataHandling metadata to gate private-data endpoints behind user confirmation

MCP Remote Security (REMOTE_CODE_EXECUTION)

  • Add security context to mcp-remote usage in MCP setup guide: what the package does, open-source link, pinned version rationale, global-install alternative to avoid npx

Sensitive Data Access (DATA_EXFILTRATION)

  • New "Sensitive Data Access" section with per-endpoint confirmation prompts for DMs, bookmarks, notifications, and timeline
  • Sensitive: tags added to each private-data endpoint in api-endpoints.md
  • Retrieved private data must not be forwarded to non-Xquik tools without explicit user consent

Security Fixes

  • Resolves all 5 findings from the Gen Agent Trust Hub audit (2026-04-13).
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Xquik-dev/x-twitter-scraper

Get notified when new releases ship.

Sign up free

About Xquik-dev/x-twitter-scraper

Remote X (Twitter) MCP server with 121 endpoints via 2 tools. Post tweets, reply, like, retweet, follow, DM, search, extract data, run giveaways, and monitor accounts. StreamableHTTP at xquik.com/mcp with API key auth.

All releases →

Related context

Beta — feedback welcome: [email protected]