Back to skill

Security audit

X Auto Posting

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it needs review because it can use a logged-in X account to publish posts and replies while keeping local posting records.

Install only if you are comfortable giving the agent controlled access to a logged-in X session for posting, replying, reading X network responses, uploading chosen media, and saving local posting history. Review each AskUserQuestion prompt carefully before confirming any publish or reply action, and periodically delete local tracking files if the posting history is sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill metadata presents this as tweet posting and performance tracking, but the Phase 6 flow also allows viewing comments, drafting responses, and publishing replies to other users. That expands the action surface from self-posting into account interaction with third parties, which can cause unintended external communications, reputational damage, or unauthorized engagement if the skill is invoked under the narrower expectation set by the manifest.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The operational-boundary statement claims the skill 'only reads data already displayed to the user,' but the instructions clearly include state-changing actions: publishing tweets/replies, clearing compose content, uploading media, and writing local tracking/state files. Misrepresenting a skill as read-only when it can perform account actions undermines informed consent and can lead users or orchestration systems to authorize a much more privileged workflow than intended.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The tracking phase documentation expands the skill from passive analytics into active comment reading and reply posting, which is a materially different capability than the manifest's stated 24-hour performance tracking/reporting scope. This scope creep can cause the agent to perform account actions the user did not clearly authorize, increasing the risk of unintended public posting, impersonation, spammy behavior, or reputational harm.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation phrases are broad and include common terms like 'generate tweet,' 'publish tweet,' 'X account management,' and multilingual variants that could match general discussion or low-intent requests. Over-broad triggering is dangerous for a skill with side effects because it increases the chance the agent selects an auto-posting workflow when the user only wanted advice, draft help, or analytics, potentially leading to unwanted navigation, account inspection, or posting steps.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The standalone trigger 'track performance' / 'check metrics' is underspecified and may activate this skill from vague analytics-related requests without making clear that it will access local published.json data, navigate to tweet URLs, and inspect account-linked X traffic. In context, this is less severe than auto-publishing, but it still risks unintended account/session interaction and privacy-sensitive data collection under an ambiguous trigger.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow persists tweet content, source links, account handle context, timestamps, and tracking metadata into local files without any stated retention limits, minimization rules, or user notice. This creates a privacy and operational security risk because sensitive posting history and source attribution can accumulate indefinitely and be exposed through workspace access, backups, or later misuse.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases for batch tracking (such as ordinary-language requests to 'look at data') are broad enough to match normal conversation and may launch tracking workflows without sufficiently specific user intent. In a skill that reads account-linked posting history and performs browser-driven collection, ambiguous triggering can lead to unintended data access or automated actions.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The report-generation triggers are underspecified and can be activated by generic phrases like 'generate report' or 'export data' that may arise in unrelated discussion. Because the workflow writes reports from account activity data, ambiguous activation can expose analytics, create files unexpectedly, or cause the agent to act on the wrong task context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.