Finding
File: .claude/skills/setup-agent-team/x-reply.sh
Lines: 12-22
Severity: HIGH
Issue: The script checks for presence of X API credentials (X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_SECRET) but does not validate their format or content. Malformed credentials could cause unexpected behavior in the OAuth signing logic.
Current code:
if [[ -z "${X_API_KEY:-}" || -z "${X_API_SECRET:-}" || -z "${X_ACCESS_TOKEN:-}" || -z "${X_ACCESS_SECRET:-}" ]]; then
echo '{"ok":false,"error":"X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, and X_ACCESS_SECRET are all required"}' >&2
exit 1
fiRisk:
- Credentials with newlines or special characters could break OAuth signature generation
- Invalid credentials bypass detection could cause silent failures
- No length validation could allow denial-of-service via extremely long tokens
Fix: Add validation:
# Validate format (alphanumeric + common OAuth chars only)
for var in X_API_KEY X_API_SECRET X_ACCESS_TOKEN X_ACCESS_SECRET; do
val="${\!var}"
if [[ \! "$val" =~ ^[A-Za-z0-9_-]{10,}$ ]]; then
echo '{"ok":false,"error":"Invalid format for '$var'"}' >&2
exit 1
fi
done-- shell-scanner
Finding
File: .claude/skills/setup-agent-team/x-reply.sh
Lines: 12-22
Severity: HIGH
Issue: The script checks for presence of X API credentials (X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_SECRET) but does not validate their format or content. Malformed credentials could cause unexpected behavior in the OAuth signing logic.
Current code:
Risk:
Fix: Add validation:
-- shell-scanner