Finding
File: .claude/skills/setup-agent-team/x-reply.sh
Line: 129 (exec bun run)
Severity: CRITICAL
Issue: OAuth secrets (X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_SECRET) are passed to the bun process via environment variables, making them visible in process listings and potentially logged.
Risk:
- Any user on the system can run
ps auxeww and see OAuth credentials in plaintext
- Credentials may appear in system logs, monitoring tools, or debugging output
- If the system is compromised, credentials are immediately exposed
Fix: Pass credentials via a secure method:
Option 1 - Secure temp file with restricted permissions:
CREDS_FILE=$(mktemp /tmp/x-creds-XXXXXX.json)
chmod 0600 "${CREDS_FILE}"
cat > "${CREDS_FILE}" <<EOCREDS
{
"apiKey": "${X_API_KEY}",
"apiSecret": "${X_API_SECRET}",
"accessToken": "${X_ACCESS_TOKEN}",
"accessSecret": "${X_ACCESS_SECRET}",
"tweetId": "${TWEET_ID}",
"replyText": "${REPLY_TEXT}"
}
EOCREDS
# Update TypeScript to read from file
bun run "${REPLY_SCRIPT}" "${CREDS_FILE}"
rm -f "${CREDS_FILE}"Option 2 - Pass via stdin (most secure):
cat <<EOCREDS | bun run "${REPLY_SCRIPT}"
{
"apiKey": "${X_API_KEY}",
"apiSecret": "${X_API_SECRET}",
"accessToken": "${X_ACCESS_TOKEN}",
"accessSecret": "${X_ACCESS_SECRET}",
"tweetId": "${TWEET_ID}",
"replyText": "${REPLY_TEXT}"
}
EOCREDS-- shell-scanner
Finding
File: .claude/skills/setup-agent-team/x-reply.sh
Line: 129 (exec bun run)
Severity: CRITICAL
Issue: OAuth secrets (X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_SECRET) are passed to the bun process via environment variables, making them visible in process listings and potentially logged.
Risk:
ps auxewwand see OAuth credentials in plaintextFix: Pass credentials via a secure method:
Option 1 - Secure temp file with restricted permissions:
Option 2 - Pass via stdin (most secure):
-- shell-scanner