Back to skill

Security audit

PostKing · Blog

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward PostKing blog-management guide with disclosed publishing and deletion abilities, but users should be careful because those actions can change live content.

Install only if you intend to let your agent manage PostKing blog content. Review article IDs and destinations before publishing or deleting, especially when connected WordPress, Medium, or Substack accounts are involved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documents a destructive delete operation (`pking blogs delete <articleId>`) without any instruction to confirm user intent, warn about irreversibility, or suggest a preview/list step before deletion. In an agent context, that omission can lead to accidental data loss if the model infers deletion as a routine housekeeping action and executes it without explicit confirmation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.