X Just Shipped an MCP Server. It Exposes 131 Tools With Zero Access Control.
X (formerly Twitter) just released xmcp, an official MCP server that wraps the entire X API v2. It is the largest social media platform to ship a first-party MCP integration, and it exposes 131 tools to any connected agent.
That includes createPosts, sendChatMessage, followUser, repostPost, deletePosts, and createDirectMessagesByParticipantId. Every one of those tools is available to every connected agent, with no permissions model, no scoping, and no rate limiting at the MCP layer.
What the X MCP server exposes
The server dynamically generates tools from X’s OpenAPI specification at startup. After filtering out streaming and webhook endpoints, agents get access to 131 operations across every major surface of the platform:
| Category | Tools | Examples |
|---|---|---|
| Posts | 15 | createPosts, deletePosts, searchPostsRecent, hidePostsReply |
| Direct Messages | 10 | createDirectMessagesByParticipantId, deleteDirectMessagesEvents |
| Users | 30+ | followUser, unfollowUser, muteUser, blockUsersDms, likePost, repostPost |
| Chat | 13 | sendChatMessage, createChatConversation, addChatGroupMembers |
| Lists | 9 | createLists, deleteLists, addListsMember |
| Media | 11 | mediaUpload, initializeMediaUpload, createMediaMetadata |
| Community Notes | 5 | createCommunityNotes, evaluateCommunityNotes, deleteCommunityNotes |
| Search & Read | 40+ | searchPostsAll, getUsersTimeline, getTrendsByWoeid |
Our scan classified 11 tools as Destructive, 14 as Execute, 32 as Write, and 74 as Read. The Destructive tools include permanent deletion of posts, DMs, lists, and connections. The Write tools include actions that are publicly visible — posting, liking, reposting, following, and sending messages to other users.
Why this is different from other MCP servers
Most MCP servers we scan operate on internal infrastructure. A GitHub server can delete files in your repos. A Stripe server can issue refunds. Those are serious, but they affect resources you own.
X is a public platform. An agent with access to createPosts can publish content to the world under your name. An agent with createDirectMessagesByParticipantId can message anyone you can reach. An agent with repostPost can amplify content to your entire follower base.
The blast radius is not your infrastructure. It is your reputation.
The high-risk tools
Post creation (createPosts, risk score 5) is the most dangerous tool in the set. A single call publishes a tweet — visible to followers, indexable by search engines, screenshottable by anyone. An agent stuck in a loop, hallucinating, or following injected instructions can post content that takes seconds to create and years to explain.
Direct messages (createDirectMessagesByParticipantId, sendChatMessage, risk score 4) let the agent contact other users privately. A hallucinated message to a business contact, a journalist, or a regulator is not a theoretical risk when you have given the agent the tool to do it.
Reposting (repostPost, risk score 4) amplifies third-party content to your audience. An agent that reposts a scam, misinformation, or offensive content has done so publicly, under your account.
Destructive operations (deletePosts, deleteLists, deleteDirectMessagesEvents, risk score 4-5) permanently remove content. There is no undo. An agent that deletes your post history or cleans out your DMs has caused irreversible damage.
Securing the X MCP server with Intercept
Intercept sits between your agent and the X MCP server, evaluating every tools/call against a YAML policy before it reaches the X API.
Here is a starter policy for the X MCP server:
version: "1"
description: "Policy for xdevplatform/xmcp"
default: "allow"
tools:
# === Block destructive tools entirely ===
deletePosts:
default: "deny"
deleteDirectMessagesEvents:
default: "deny"
deleteLists:
default: "deny"
deleteAllConnections:
default: "deny"
deleteCommunityNotes:
default: "deny"
# === Rate limit public-facing actions ===
createPosts:
rules:
- name: "post-rate-limit"
rate_limit: "5/hour"
on_deny: "Rate limit: max 5 posts per hour"
repostPost:
rules:
- name: "repost-rate-limit"
rate_limit: "10/hour"
on_deny: "Rate limit: max 10 reposts per hour"
likePost:
rules:
- name: "like-rate-limit"
rate_limit: "20/hour"
on_deny: "Rate limit: max 20 likes per hour"
# === Rate limit DMs and chat ===
createDirectMessagesByConversationId:
rules:
- name: "dm-rate-limit"
rate_limit: "10/hour"
on_deny: "Rate limit: max 10 DMs per hour"
createDirectMessagesByParticipantId:
rules:
- name: "dm-new-rate-limit"
rate_limit: "5/hour"
on_deny: "Rate limit: max 5 new DM conversations per hour"
sendChatMessage:
rules:
- name: "chat-rate-limit"
rate_limit: "10/hour"
on_deny: "Rate limit: max 10 chat messages per hour"
# === Rate limit social graph changes ===
followUser:
rules:
- name: "follow-rate-limit"
rate_limit: "10/hour"
on_deny: "Rate limit: max 10 follows per hour"
unfollowUser:
rules:
- name: "unfollow-rate-limit"
rate_limit: "10/hour"
on_deny: "Rate limit: max 10 unfollows per hour"
# === Global safety net ===
"*":
rules:
- name: "global-rate-limit"
rate_limit: "120/minute"
on_deny: "Global rate limit: max 120 tool calls per minute across all X tools"This policy blocks all destructive tools outright, rate-limits public actions (posts, reposts, likes, DMs, follows), and applies a global cap to prevent runaway loops. Read operations pass through unrestricted.
Getting started
# Install Intercept
npm install -g @policylayer/intercept
# Run XMCP through Intercept with your policy
intercept -c x-policy.yaml -- python server.pySave the YAML above as x-policy.yaml. Intercept proxies all MCP traffic through the policy engine — no changes to your agent or the XMCP server.
Adjust the limits to match your use case. A social media management agent might need higher post limits. A research agent that only reads trends and searches might not need write access at all — set default: "deny" and allowlist only the read tools.
The pattern is clear
Every major platform is shipping MCP servers. Stripe, GitHub, Slack, Cloudflare, and now X. None of them ship with access controls. The protocol does not require it, and the servers do not implement it.
X makes this pattern more visible because the consequences are public. A bad API call to Stripe affects your balance. A bad API call to X affects your reputation, in public, permanently.
The tools exist. The policies should too.
Full X (Twitter) MCP policy | Scan your MCP config | Intercept on GitHub
Protect your agent in 30 seconds
Scans your MCP config and generates enforcement policies for every server.
npx -y @policylayer/intercept init