{"slug": "x-just-shipped-an-mcp-server-it-exposes-131-tools-with-zero-access-control", "title": "X Just Shipped an MCP Server. It Exposes 131 Tools With Zero Access Control.", "summary": "X (formerly Twitter) released an official MCP server, xmcp, that exposes 131 tools from the X API v2 to any connected agent with no access control, permissions model, or rate limiting. The tools include destructive actions like deleting posts and DMs, as well as posting, messaging, and reposting, posing significant reputation risks. A security researcher warns that agents can publish content, send DMs, or amplify content without safeguards, and recommends using a policy layer like Intercept to mitigate risks.", "body_md": "X (formerly Twitter) just released [xmcp](https://github.com/xdevplatform/xmcp), an official MCP server that wraps the entire X API v2. It is the largest social media platform to ship a first-party MCP integration, and it exposes 131 tools to any connected agent.\n\nThat includes `createPosts`\n\n, `sendChatMessage`\n\n, `followUser`\n\n, `repostPost`\n\n, `deletePosts`\n\n, and `createDirectMessagesByParticipantId`\n\n. Every one of those tools is available to every connected agent, with no permissions model, no scoping, and no rate limiting at the MCP layer.\n\nThe server dynamically generates tools from X's OpenAPI specification at startup. After filtering out streaming and webhook endpoints, agents get access to 131 operations across every major surface of the platform:\n\n| Category | Tools | Examples |\n|---|---|---|\n| Posts | 15 |\n`createPosts` , `deletePosts` , `searchPostsRecent` , `hidePostsReply`\n|\n| Direct Messages | 10 |\n`createDirectMessagesByParticipantId` , `deleteDirectMessagesEvents`\n|\n| Users | 30+ |\n`followUser` , `unfollowUser` , `muteUser` , `blockUsersDms` , `likePost` , `repostPost`\n|\n| Chat | 13 |\n`sendChatMessage` , `createChatConversation` , `addChatGroupMembers`\n|\n| Lists | 9 |\n`createLists` , `deleteLists` , `addListsMember`\n|\n| Media | 11 |\n`mediaUpload` , `initializeMediaUpload` , `createMediaMetadata`\n|\n| Community Notes | 5 |\n`createCommunityNotes` , `evaluateCommunityNotes` , `deleteCommunityNotes`\n|\n| Search & Read | 40+ |\n`searchPostsAll` , `getUsersTimeline` , `getTrendsByWoeid`\n|\n\nOur scan classified 11 tools as Destructive, 14 as Execute, 32 as Write, and 74 as Read. The Destructive tools include permanent deletion of posts, DMs, lists, and connections. The Write tools include actions that are publicly visible — posting, liking, reposting, following, and sending messages to other users.\n\nMost MCP servers we scan operate on internal infrastructure. A GitHub server can delete files in your repos. A Stripe server can issue refunds. Those are serious, but they affect resources you own.\n\nX is a public platform. An agent with access to `createPosts`\n\ncan publish content to the world under your name. An agent with `createDirectMessagesByParticipantId`\n\ncan message anyone you can reach. An agent with `repostPost`\n\ncan amplify content to your entire follower base.\n\nThe blast radius is not your infrastructure. It is your reputation.\n\n**Post creation** (`createPosts`\n\n, risk score 5) is the most dangerous tool in the set. A single call publishes a tweet — visible to followers, indexable by search engines, screenshottable by anyone. An agent stuck in a loop, hallucinating, or following injected instructions can post content that takes seconds to create and years to explain.\n\n**Direct messages** (`createDirectMessagesByParticipantId`\n\n, `sendChatMessage`\n\n, risk score 4) let the agent contact other users privately. A hallucinated message to a business contact, a journalist, or a regulator is not a theoretical risk when you have given the agent the tool to do it.\n\n**Reposting** (`repostPost`\n\n, risk score 4) amplifies third-party content to your audience. An agent that reposts a scam, misinformation, or offensive content has done so publicly, under your account.\n\n**Destructive operations** (`deletePosts`\n\n, `deleteLists`\n\n, `deleteDirectMessagesEvents`\n\n, risk score 4-5) permanently remove content. There is no undo. An agent that deletes your post history or cleans out your DMs has caused irreversible damage.\n\n[Intercept](https://github.com/policylayer/intercept) sits between your agent and the X MCP server, evaluating every `tools/call`\n\nagainst a YAML policy before it reaches the X API.\n\nHere is a starter policy for the X MCP server:\n\n```\nversion: \"1\"\ndescription: \"Policy for xdevplatform/xmcp\"\ndefault: \"allow\"\ntools:\n    # === Block destructive tools entirely ===\n    deletePosts:\n        default: \"deny\"\n    deleteDirectMessagesEvents:\n        default: \"deny\"\n    deleteLists:\n        default: \"deny\"\n    deleteAllConnections:\n        default: \"deny\"\n    deleteCommunityNotes:\n        default: \"deny\"\n\n    # === Rate limit public-facing actions ===\n    createPosts:\n        rules:\n          - name: \"post-rate-limit\"\n            rate_limit: \"5/hour\"\n            on_deny: \"Rate limit: max 5 posts per hour\"\n\n    repostPost:\n        rules:\n          - name: \"repost-rate-limit\"\n            rate_limit: \"10/hour\"\n            on_deny: \"Rate limit: max 10 reposts per hour\"\n\n    likePost:\n        rules:\n          - name: \"like-rate-limit\"\n            rate_limit: \"20/hour\"\n            on_deny: \"Rate limit: max 20 likes per hour\"\n\n    # === Rate limit DMs and chat ===\n    createDirectMessagesByConversationId:\n        rules:\n          - name: \"dm-rate-limit\"\n            rate_limit: \"10/hour\"\n            on_deny: \"Rate limit: max 10 DMs per hour\"\n\n    createDirectMessagesByParticipantId:\n        rules:\n          - name: \"dm-new-rate-limit\"\n            rate_limit: \"5/hour\"\n            on_deny: \"Rate limit: max 5 new DM conversations per hour\"\n\n    sendChatMessage:\n        rules:\n          - name: \"chat-rate-limit\"\n            rate_limit: \"10/hour\"\n            on_deny: \"Rate limit: max 10 chat messages per hour\"\n\n    # === Rate limit social graph changes ===\n    followUser:\n        rules:\n          - name: \"follow-rate-limit\"\n            rate_limit: \"10/hour\"\n            on_deny: \"Rate limit: max 10 follows per hour\"\n\n    unfollowUser:\n        rules:\n          - name: \"unfollow-rate-limit\"\n            rate_limit: \"10/hour\"\n            on_deny: \"Rate limit: max 10 unfollows per hour\"\n\n    # === Global safety net ===\n    \"*\":\n        rules:\n          - name: \"global-rate-limit\"\n            rate_limit: \"120/minute\"\n            on_deny: \"Global rate limit: max 120 tool calls per minute across all X tools\"\n```\n\nThis policy blocks all destructive tools outright, rate-limits public actions (posts, reposts, likes, DMs, follows), and applies a global cap to prevent runaway loops. Read operations pass through unrestricted.\n\n```\n# Install Intercept\nnpm install -g @policylayer/intercept\n\n# Run XMCP through Intercept with your policy\nintercept -c x-policy.yaml -- python server.py\n```\n\nSave the YAML above as `x-policy.yaml`\n\n. Intercept proxies all MCP traffic through the policy engine — no changes to your agent or the XMCP server.\n\nAdjust the limits to match your use case. A social media management agent might need higher post limits. A research agent that only reads trends and searches might not need write access at all — set `default: \"deny\"`\n\nand allowlist only the read tools.\n\nEvery major platform is shipping MCP servers. Stripe, GitHub, Slack, Cloudflare, and now X. None of them ship with access controls. The protocol does not require it, and the servers do not implement it.\n\nX makes this pattern more visible because the consequences are public. A bad API call to Stripe affects your balance. A bad API call to X affects your reputation, in public, permanently.\n\nThe tools exist. The policies should too.\n\n[Full X (Twitter) MCP policy](https://policylayer.com/policies/xdevplatform-xmcp) | [Scan your MCP config](https://policylayer.com/scan) | [Intercept on GitHub](https://github.com/policylayer/intercept)", "url": "https://wpnews.pro/news/x-just-shipped-an-mcp-server-it-exposes-131-tools-with-zero-access-control", "canonical_source": "https://dev.to/policylayer/x-just-shipped-an-mcp-server-it-exposes-131-tools-with-zero-access-control-639", "published_at": "2026-06-16 13:25:59+00:00", "updated_at": "2026-06-16 13:47:52.939984+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "developer-tools", "large-language-models", "ai-policy"], "entities": ["X", "xmcp", "X API v2", "Intercept", "OpenAPI"], "alternates": {"html": "https://wpnews.pro/news/x-just-shipped-an-mcp-server-it-exposes-131-tools-with-zero-access-control", "markdown": "https://wpnews.pro/news/x-just-shipped-an-mcp-server-it-exposes-131-tools-with-zero-access-control.md", "text": "https://wpnews.pro/news/x-just-shipped-an-mcp-server-it-exposes-131-tools-with-zero-access-control.txt", "jsonld": "https://wpnews.pro/news/x-just-shipped-an-mcp-server-it-exposes-131-tools-with-zero-access-control.jsonld"}}