xurl

Enables users to interact with the X/Twitter API via a CLI for posting, searching, and managing media and messages.

Install this skill

or

48/100

Security score

The xurl skill was audited on Jun 4, 2026 and we found 14 security issues across 3 threat categories, including 1 high-severity. Review the findings below before installing.

Categories Tested

Security Issues

high line 59

Piping content to bash shell

SourceSKILL.md

59	curl -fsSL https://raw.githubusercontent.com/xdevplatform/xurl/main/install.sh \| bash

medium line 39

Access to hidden dotfiles in home directory

SourceSKILL.md

39	- Never read, print, parse, summarize, upload, or send `~/.xurl` to LLM context.

medium line 41

Access to hidden dotfiles in home directory

SourceSKILL.md

41	- The user must fill `~/.xurl` with secrets manually on their own machine. In Docker, this must be the `~` seen by Hermes tool subprocesses; see the Docker note below.

medium line 49

Access to hidden dotfiles in home directory

SourceSKILL.md

49	App credential registration and credential rotation must be done by the user manually, outside the agent session. After credentials are registered, the user authenticates with `xurl auth oauth2` — als

low line 58

Access to hidden dotfiles in home directory

SourceSKILL.md

58	# Shell script (installs to ~/.local/bin, no sudo, works on Linux + macOS)

medium line 118

Access to hidden dotfiles in home directory

SourceSKILL.md

118	> Docker HOME pitfall: In the official Hermes Docker layout, `/opt/data` is `HERMES_HOME`, but Hermes tool subprocesses use `/opt/data/home` as `HOME`. That means `~/.xurl` resolves to `/opt/data/

medium line 397

Access to hidden dotfiles in home directory

SourceSKILL.md

397	7. Never paste `~/.xurl` contents back into the conversation.

medium line 423

Access to hidden dotfiles in home directory

SourceSKILL.md

423	- Token storage: `~/.xurl` is YAML. In Docker, use the Hermes subprocess HOME (`/opt/data/home` in the official image) so tokens land under `/opt/data/home/.xurl`. Never read or send this file to

low line 87

External URL reference

SourceSKILL.md

87	2. Set the redirect URI to `http://localhost:8080/callback`

low line 162

External URL reference

SourceSKILL.md

162	- `POST_ID` accepts full URLs too (e.g. `https://x.com/user/status/1234567890`) — xurl extracts the ID.

low line 177

External URL reference

SourceSKILL.md

177	xurl reply https://x.com/user/status/1234567890 "Agreed!"

low line 188

External URL reference

SourceSKILL.md

188	xurl read https://x.com/user/status/1234567890

low line 299

External URL reference

SourceSKILL.md

299	xurl https://api.x.com/2/users/me

low line 354

External URL reference

SourceSKILL.md

354	xurl read https://x.com/user/status/1234567890

Scanned on Jun 4, 2026

View Security Dashboard

Installation guide →

GitHub Stars 185.0K

Rate this skill

Categorymarketing

UpdatedJune 10, 2026

hermes frontend remotion git api testing devops backend social-media-manager influencer-marketer content-marketer marketing

NousResearch/hermes-agent