This release includes 1 breaking change for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
Topics
+14 more
Affected surfaces
ReleasePort's take
Moderate signalThe release hardens security surfaces and removes deprecated billing/payment references from packaged skill surfaces.
Why it matters: Security enhancements address untrusted X‑content boundaries and restrict funding/plan changes to the dashboard; deprecation of top‑up, checkout, MPP, and local MCP bridge package references requires updating any code that relied on those features before upgrade.
Summary
AI summaryRemoved top-up, checkout, MPP, billing/payment, and local MCP bridge package references from packaged skill surfaces.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | High |
Hardened Skills.sh trust-audit surface with explicit untrusted X-content boundary markers and first-party host metadata. Hardened Skills.sh trust-audit surface with explicit untrusted X-content boundary markers and first-party host metadata. Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Security | High |
Hardened Socket and Snyk audit surfaces by restricting account funding and plan changes to dashboard-only in installed skill docs. Hardened Socket and Snyk audit surfaces by restricting account funding and plan changes to dashboard-only in installed skill docs. Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Feature | Medium |
Added native HTTP/OAuth-only MCP transport guidance. Added native HTTP/OAuth-only MCP transport guidance. Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Dependency | Low |
Bumped package, skill, plugin, and registry version surfaces to 2.4.15. Bumped package, skill, plugin, and registry version surfaces to 2.4.15. Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Deprecation | Medium |
Removed top-up, checkout, MPP, billing/payment, and local MCP bridge package references from packaged skill surfaces. Removed top-up, checkout, MPP, billing/payment, and local MCP bridge package references from packaged skill surfaces. Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Bugfix | Medium |
Fixed Claude plugin MCP config shape in the Codex plugin manifest. Fixed Claude plugin MCP config shape in the Codex plugin manifest. Source: llm_adapter@2026-05-27 Confidence: high |
— |
Full changelog
Changes
- Hardened the Skills.sh trust-audit surface with explicit untrusted X-content boundary markers and first-party host metadata.
- Hardened Socket and Snyk audit surfaces by making account funding and plan changes dashboard-only in the installed skill docs.
- Removed top-up, checkout, MPP, billing/payment, and local MCP bridge package references from packaged skill surfaces.
- Added native HTTP/OAuth-only MCP transport guidance.
- Added the Codex plugin manifest and fixed the Claude plugin MCP config shape.
- Bumped package, skill, plugin, and registry version surfaces to 2.4.15.
Validation
- node scripts/check-versions.mjs
- JSON metadata parse checks
- Python and JavaScript snippet syntax checks
- git diff --check
- Packaged-surface trigger scan
- Link check: 19 pass, 0 fail, 9 skipped for placeholders/sentinels
Full Changelog: https://github.com/Xquik-dev/x-twitter-scraper/compare/v2.4.13...v2.4.15
Breaking Changes
- Removed top-up, checkout, MPP, billing/payment, and local MCP bridge package references from packaged skill surfaces.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Xquik-dev/x-twitter-scraper
Remote X (Twitter) MCP server with 121 endpoints via 2 tools. Post tweets, reply, like, retweet, follow, DM, search, extract data, run giveaways, and monitor accounts. StreamableHTTP at xquik.com/mcp with API key auth.
Related context
Beta — feedback welcome: [email protected]