Back to skill

Security audit

Tootbot

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it can publish real Mastodon posts and attach media using the user's account token without strong confirmation safeguards.

Install only if you are comfortable giving the skill a Mastodon token that can post on your behalf. Before each run, confirm the exact account, text, visibility, media files, and schedule; avoid attaching sensitive local files and use a revocable, least-privilege token where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes a local script via Bun, depends on environment variables, and is intended to make outbound requests to a Mastodon instance, yet it declares no explicit permissions. This creates a transparency and policy-enforcement gap: a user or platform may not realize the skill can execute shell commands, access credentials from the environment, and publish data externally.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs an agent to publish arbitrary user-provided text and media to Mastodon, an external service, but does not clearly warn that this action transmits data off-platform and may make it public. In an agent skill context, missing explicit consent and visibility warnings increases the risk of accidental data exfiltration, privacy violations, or unintended public posting.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation describes how to post to Mastodon but does not clearly warn that content may be published publicly to an external service using the user's account credentials. In this context, omission matters because the action is irreversible or high-impact from a privacy/reputation perspective, especially when default visibility is public.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The schema defaults the posting language to "en" whenever the caller does not explicitly provide a language. That can silently mislabel posts in Mastodon, affecting accessibility, translation behavior, moderation, and audience expectations, especially in multilingual or non-English contexts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution, suspicious.env_credential_access

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/tootbot.js:24

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/tootbot.js:3