SocialPost Auto

Security checks across malware telemetry and agentic risk

Overview

This is a social-media automation skill whose purpose is coherent, but it can affect public accounts and asks for sensitive credentials without enough scoping, confirmation, or secret-handling guidance.

Review carefully before installing. Use scoped, revocable credentials; avoid cookie-based authentication where possible; protect local config files; do not add the cron job unless you want recurring automation; and require manual confirmation before any real post, scheduled post, or auto-reply is sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill documentation describes capabilities that require network access, task persistence, and likely local file reads/writes, but it declares no explicit permissions or trust boundaries. That mismatch can prevent informed consent and makes it harder for the host to enforce least privilege, especially because the skill handles platform credentials and can post publicly on behalf of the user.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 82% confidence
Finding: The skill claims social-media automation behavior but omits that it persists scheduled task data locally under a workspace path. Undocumented persistence is risky because users may not realize their posting schedules, generated content, or account-related metadata are being stored on disk, where it may be retained longer than expected or exposed to other local processes/users.

Vague Triggers

Medium

Confidence: 74% confidence
Finding: The trigger conditions are broad enough that ordinary conversation such as requests to post or auto-reply could automatically invoke account-affecting behavior. In a skill that can publish content and respond publicly, overbroad activation increases the risk of unintended posting, scheduling, or engagement actions without sufficiently explicit confirmation.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill description does not warn users that it can automatically publish content and send comment replies using their social accounts. Because these are public, reputation-affecting actions with possible privacy and compliance consequences, failing to warn users undermines informed consent and increases the chance of misuse or accidental harm.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The configuration instructs users to place API keys, tokens, and cookies into a local config without any warning about the sensitivity of those secrets or the account access they enable. Exposure of these credentials could allow unauthorized posting, account takeover of connected sessions, or misuse of paid APIs, and cookies are especially sensitive because they may represent active authenticated sessions.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal