Back to skill

Security audit

PostKing

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed PostKing router skill with a broad command reference, and the sensitive commands appear purpose-aligned and user-directed rather than hidden or deceptive.

Install only if you want an agent connected to your PostKing account. Be careful with requests involving publishing, scheduling, billing, API keys, social account connections, or deletes, and prefer explicit confirmation before the agent runs those actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Tool Parameter Abuse

High
Category
Tool Misuse
Content
pking voice brand delete <voiceProfileId> [--brand <id>] --destructive [--json]
                                           Delete a brand-owned voice profile. --destructive
                                           is required to confirm.
                                           Wraps DELETE /api/agent/v1/brands/{brandId}/voice-profiles/{voiceProfileId}.

Voice profile CREATION (extracting tone from X / LinkedIn / Threads / URLs)
runs through async extract endpoints and is currently web-only — direct
Confidence
24% confidence
Finding
DELETE /api/agent/v1/brands/{brandId}/voice-profiles/{voiceProfileId}.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.