v2.3.0

Security

Resolves all 5 findings from the Gen Agent Trust Hub audit (2026-04-13).

Credential Handling (CREDENTIALS_UNSAFE)

• Add credentialProxy and credentialProxyScope to security metadata
• New "Credential Handling" section with 5 agent rules: confirm before sending, never log/echo/store/reuse credentials, never auto-retry credential endpoints
• Security notes on POST /x/accounts and POST /x/accounts/{id}/reauth endpoints
• Remove misleading "never handles raw credentials" claim — was about API key injection, not X account credentials

Prompt Injection Defense (PROMPT_INJECTION)

• Replace blanket "trust the docs" override with scoped version: docs win on endpoint params, rate limits, and pricing only — security rules in the skill always take precedence over external content
• Add sensitiveDataEndpoints and sensitiveDataHandling metadata to gate private-data endpoints behind user confirmation

MCP Remote Security (REMOTE_CODE_EXECUTION)

• Add security context to mcp-remote usage in MCP setup guide: what the package does, open-source link, pinned version rationale, global-install alternative to avoid npx

Sensitive Data Access (DATA_EXFILTRATION)

• New "Sensitive Data Access" section with per-endpoint confirmation prompts for DMs, bookmarks, notifications, and timeline
• Sensitive: tags added to each private-data endpoint in api-endpoints.md
• Retrieved private data must not be forwarded to non-Xquik tools without explicit user consent