Back to skill

Security audit

Multi Platform Publisher Jarvis

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only social media automation skill, but it warrants review because it can direct public posts and comment replies without clear approval or account-scope safeguards.

Review this skill before installation if you would connect real social accounts. Use it only with explicit per-action confirmation, preview final posts and replies, choose exact accounts and platforms, use least-privilege credentials, and ensure scheduled posts can be reviewed and cancelled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly supports publishing content and replying to comments on external social-media platforms, which are state-changing actions performed on the user's behalf. Without clear warnings, confirmation requirements, or documentation of account/account-scope access, users may unknowingly authorize public posts or interactions that affect brand reputation, compliance, or account integrity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises analytics, fan interaction, hotspot tracking, and competitor analysis, all of which may require access to comments, account metrics, engagement data, or other potentially sensitive social-media information. Failing to disclose this access can lead to overbroad data exposure, privacy surprises, and misuse of account-linked data by users who do not understand what will be collected or processed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.