Finding
File: .claude/skills/setup-agent-team/x-reply.sh
Lines: 8-16
Severity: HIGH
Issue: The script checks for presence of TWEET_ID and REPLY_TEXT but does not validate their format or content before passing to the TypeScript OAuth implementation.
Current code:
if [[ -z "${TWEET_ID:-}" ]]; then
echo '{"ok":false,"error":"TWEET_ID env var is required"}' >&2
exit 1
fi
if [[ -z "${REPLY_TEXT:-}" ]]; then
echo '{"ok":false,"error":"REPLY_TEXT env var is required"}' >&2
exit 1
fiRisk:
- TWEET_ID: Must be a numeric string. Non-numeric values could cause API errors or unexpected behavior
- REPLY_TEXT: No length validation. Twitter has a 280-character limit; extremely long inputs cause API errors
- REPLY_TEXT: No content validation. Could contain control characters or invalid UTF-8 sequences
Fix: Add validation:
# Validate TWEET_ID is numeric
if [[ \! "${TWEET_ID}" =~ ^[0-9]+$ ]]; then
echo '{"ok":false,"error":"TWEET_ID must be numeric"}' >&2
exit 1
fi
# Validate REPLY_TEXT length (Twitter limit: 280 chars)
REPLY_LENGTH=$(printf '%s' "${REPLY_TEXT}" | wc -m | tr -d ' ')
if [[ "${REPLY_LENGTH}" -gt 280 ]]; then
echo '{"ok":false,"error":"REPLY_TEXT exceeds 280 characters"}' >&2
exit 1
fi-- shell-scanner
Finding
File: .claude/skills/setup-agent-team/x-reply.sh
Lines: 8-16
Severity: HIGH
Issue: The script checks for presence of TWEET_ID and REPLY_TEXT but does not validate their format or content before passing to the TypeScript OAuth implementation.
Current code:
Risk:
Fix: Add validation:
-- shell-scanner