🔒 Security

Your Data Stays Local

XActions browser scripts run entirely in your browser. Your credentials, cookies, and data never leave your machine. There are no external API calls, no telemetry, no analytics.

No Server-Side Storage

• Browser scripts: zero server communication
• CLI tool: runs locally on your machine
• MCP server: runs locally, all data stays on your machine
• API features (video download, thread unroll): we process the request and return results — we don't store your data

Open Source = Auditable

Every line of code is public on GitHub. You can audit the entire codebase before running anything. We have nothing to hide. The project is MIT-licensed.

Session Cookie Handling

If you use the hosted dashboard features, your X/Twitter session cookie is:

• Encrypted with AES-256-GCM before storage
• Never logged or transmitted to third parties
• Deletable at any time from your settings
• Used only to execute the automation you requested

How to Report

• Email security concerns via GitHub private vulnerability reporting
• Do NOT open a public GitHub issue
• Include a detailed description and reproduction steps
• We aim to respond within 48 hours
• We'll credit you in our changelog (unless you prefer anonymity)

• Never share your auth_token cookie with anyone
• Use XActions in a browser profile you control
• Regularly rotate your X/Twitter password
• Review scripts before running them — they're open source for this reason
• Don't run multiple automation scripts simultaneously
• Start with conservative settings and small batches