v2.3.0

Security

Resolves all 5 findings from the Gen Agent Trust Hub audit (2026-04-13).

Credential Handling (CREDENTIALS_UNSAFE)

• Add credentialProxy and credentialProxyScope to security metadata
• New "Credential Handling" section with 5 agent rules: confirm before sending, never log/echo/store/reuse credentials, never auto-retry credential endpoints
• Security notes on POST /x/accounts and POST /x/accounts/{id}/reauth endpoints
• Remove misleading "never handles raw credentials" claim — was about API key injection, not X account credentials

Prompt Injection Defense (PROMPT_INJECTION)

• Replace blanket "trust the docs" override with scoped version: docs win on endpoint params, rate limits, and pricing only — security rules in the skill always take precedence over external content
• Add sensitiveDataEndpoints and sensitiveDataHandling metadata to gate private-data endpoints behind user confirmation

MCP Remote Security (REMOTE_CODE_EXECUTION)

• Add security context to mcp-remote usage in MCP setup guide: what the package does, open-source link, pinned version rationale, global-install alternative to avoid npx

Sensitive Data Access (DATA_EXFILTRATION)

• New "Sensitive Data Access" section with per-endpoint confirmation prompts for DMs, bookmarks, notifications, and timeline
• Sensitive: tags added to each private-data endpoint in api-endpoints.md
• Retrieved private data must not be forwarded to non-Xquik tools without explicit user consent

v2.2.1

Fixes

• Resolve all Socket & Snyk audit findings (version consistency, security metadata, endpoint counts)
• Surface 9 prompt injection mitigations + 11 payment guardrails in structured frontmatter metadata
• Add contentIsolation, contentNeverDrivesToolSelection, autonomousPayment: false, storedCredentialCharges: false, fundTransfers: false, localFileAccess: none, localNetworkAccess: none
• Declare XQUIK_WEBHOOK_SECRET as optional env with per-webhook scope
• Remove prompt injection scanner trigger phrase from defense example
• Fix stale endpoint counts (97, 120 → 122) across all files
• Add API key security guidance to MCP setup guide
• Fix dashboard URLs to dashboard.xquik.com subdomain
• Update endpoint count 121 → 122 across registry and docs
• Update MPP endpoint count 16 → 32
• Update credit costs 2 → 1 for profiles & followers
• Optimize tool descriptions for Glama TDQS A-grade scoring
• Add verified sandbox constraints to tool descriptions
• Add Glama MCP server score badge and Smithery badge to README
• Add Apify actor status badge to README

v2.2.0

Glama Docker verification passing. 2 tools (explore + xquik), 121 API endpoints.

v2.0.2

• Fix glama.json maintainer for Glama server claiming
• Update SKILL.md to v2.0.2 (121 endpoints, expanded security model)

v2.0.1

What's Changed

• Slash commands: Add 4 slash commands (search, user, post, trending) for interactive use
• MCP auto-config: Add .mcp.json for MCP server auto-configuration and userConfig API key prompt
• Docker & catalog: Add Docker MCP Catalog and submission files
• Security: Harden security section, add sandbox trust model, pin mcp-remote version
• Pricing: Align extraction and per-op pricing with billing docs; correct MPP pricing for multiple endpoints
• Fixes: Correct endpoint paths, marketplace source path, and skill description priorities

v2.0.0

x-twitter-scraper v2.0.0

AI agent skill for X (Twitter) data via the Xquik API. 33x cheaper than the official X API.

Highlights

• 99 REST API endpoints across 12 categories
• 9 MCP tools for AI agent integration
• HMAC webhook support with signature verification
• Machine Payments Protocol (MPP) for anonymous pay-per-use
• Reads from $0.00015/call

Installation

npx skills add Xquik-dev/x-twitter-scraper