Back to skill

Security audit

Multi Platform Synergy

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed multi-platform operations playbook, but it gives an agent broad authority to coordinate public posting, commenting, likes, and data collection across multiple accounts without clear user controls or privacy limits.

Review before installing if you plan to let an agent act on real accounts. Only use it with accounts you are authorized to operate, require explicit approval before posting, commenting, liking, sending messages, or changing schedules, and treat the stored cycle-state file as potentially sensitive campaign/account metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly stores ongoing operational state in a local file (`memory/cycle-state.json`) but does not warn the user that posting status, topic selection, and account activity metadata will be persisted. In an agent setting, silent persistence can expose sensitive campaign details, account mappings, or behavioral history to other tools, users, or later runs if the workspace is shared or insufficiently protected.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill promotes cross-platform data collection and coordination across multiple accounts and services without any privacy, consent, or data-handling guidance. This creates risk of collecting or correlating platform activity, engagement metrics, and account relationships in ways that may violate user expectations, platform policies, or internal data governance requirements.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.