DanceTech Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed automation bot, but it needs Review because it can publish posts/comments, create public GitHub repositories, and use stored credentials on schedules with weak approval safeguards.

Install only after reviewing every script and use dedicated, low-privilege throwaway Moltbook, GitHub, OpenRouter, and Privy credentials. Keep cron disabled until you add explicit approval or dry-run defaults for public posts, comments, repository creation, pushes, verification submission, and Privy resource creation. Expect real public account actions if these scripts run with live credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (17)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The code comments say the 429 handler will retry only once, but it actually recurses without any retry bound. If the remote service keeps returning 429, the script can loop indefinitely, causing uncontrolled repeated requests, long-running execution, and potential denial-of-service against itself or the API quota.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README’s primary overview and setup flow promote a fully autonomous system that performs public posting, commenting, repo creation, and API-driven actions without prominently warning users about the operational, privacy, and account-risk implications up front. This increases the chance that users enable high-impact automation without understanding credential exposure, reputation damage, platform policy violations, or unintended external actions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script sends prompts and project-generation data to OpenRouter automatically, without an explicit consent gate or data classification check. In this skill, generated content may include repository names, workflow details, and could later be expanded to include sensitive material, making silent third-party transmission risky.

Missing User Warnings

High

Confidence: 96% confidence
Finding: This section creates public GitHub repositories, clones them, writes AI-generated files, commits, pushes, and later participates in external posting workflows, all with no strong user confirmation beyond an optional dry-run flag. In an agent skill context, unattended publication to public services is high risk because it can leak sensitive or policy-violating generated content and create durable public artifacts.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script posts generated content to Moltbook and performs verification automatically using stored credentials, without an upfront disclosure or approval checkpoint. Because this produces public-facing content and ties actions to a real account, silent transmission is materially risky in this automation context.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This script performs authenticated external POST requests that publish comments automatically, with no confirmation, dry-run mode, or user-facing warning at execution time. In an agent-skill context, that is risky because running the skill can trigger real account actions, spam, reputational damage, or policy violations without explicit user intent verification.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: This code performs authenticated external side effects automatically, including creating public GitHub repositories and publishing content to external platforms, without any approval gate or allowlist validation. In an agent-skill context, that is dangerous because unreviewed inputs or state files can trigger irreversible outbound actions using stored credentials.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The function executes shell commands and performs file-system writes based on data derived from external state and comments, then pushes results to GitHub using a token embedded in clone URLs. In an automated agent setting, these destructive side effects can alter local state, exfiltrate secrets via process arguments, and publish attacker-influenced content without human review.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script automatically posts comments to external content using the configured account without any approval step, dry-run mode, or recipient/content validation. In an agent-skill context, this can cause unauthorized actions, spam, reputational harm, and accidental policy violations if the script runs unexpectedly or is modified to post abusive content.

Missing User Warnings

Medium

Confidence: 76% confidence
Finding: The script automatically sends derived session data to an external service without an explicit consent gate, dry-run mode, or clear disclosure to the operator. In this skill context, session logs may contain behavioral or personal information, so silent exfiltration to a third-party endpoint increases privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script reads Privy credentials from a local .env file and immediately uses them to authenticate outbound requests to a third-party API. While this is expected for an integration test, it still creates a real secret-handling risk because running the script causes credential use and external transmission without an explicit safety prompt, confirmation, or scoping safeguards.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The manifest requests multiple sensitive credentials and combines them with high-risk capabilities including HTTP requests, filesystem access, process execution, and git operations, yet the description gives no user-facing disclosure of the scope of access or the actions the agent may take. In an autonomous agent context, this is dangerous because the skill could exfiltrate secrets, execute arbitrary commands, modify local files, or create remote resources without the user understanding the trust boundary.

External Transmission

Medium

Category: Data Exfiltration
Content: }; console.log('Creating policy...'); const policyRes = await fetch('https://api.privy.io/v1/policies', { method: 'POST', headers: { 'Authorization': `Basic ${auth}`,
Confidence: 90% confidence
Finding: fetch('https://api.privy.io/v1/policies', { method: 'POST'

External Transmission

Medium

Category: Data Exfiltration
Content: // Create wallet console.log('Creating wallet...'); const walletRes = await fetch('https://api.privy.io/v1/wallets', { method: 'POST', headers: { 'Authorization': `Basic ${auth}`,
Confidence: 90% confidence
Finding: fetch('https://api.privy.io/v1/wallets', { method: 'POST'

External Transmission

Medium

Category: Data Exfiltration
Content: }; console.log('Creating policy...'); const policyRes = await fetch('https://api.privy.io/v1/policies', { method: 'POST', headers: { 'Authorization': `Basic ${auth}`,
Confidence: 90% confidence
Finding: https://api.privy.io/

External Transmission

Medium

Category: Data Exfiltration
Content: // Create wallet console.log('Creating wallet...'); const walletRes = await fetch('https://api.privy.io/v1/wallets', { method: 'POST', headers: { 'Authorization': `Basic ${auth}`,
Confidence: 90% confidence
Finding: https://api.privy.io/

Credential Access

High

Category: Privilege Escalation
Content: const { execSync } = require('child_process'); const WORKSPACE = path.resolve(__dirname, '..'); const ENV_PATH = path.join(WORKSPACE, '.env'); function loadEnv() { const content = fs.readFileSync(ENV_PATH, 'utf8');
Confidence: 95% confidence
Finding: .env'

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal