Back to skill

Security audit

Followers

Security checks across malware telemetry and agentic risk

Overview

This is a local follower-themed logging tool that saves user-entered data on disk, with no evidence of network exfiltration, credential access, destructive behavior, or hidden execution.

Install only if you want a simple local logging helper, not verified social-platform analytics. Anything typed into it may be saved in ~/.local/share/followers, so do not enter API tokens, passwords, private account notes, or sensitive URLs; delete that folder when you no longer need the records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Low
Confidence
91% confidence
Finding
The skill explicitly states that it stores data locally and logs activity with timestamps, and supports export to multiple formats, but provides no privacy notice or warning about what may be retained or exposed. In a follower analytics context, exported history and logs could contain sensitive account, audience, or usage metadata that users may not realize is being persisted.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script persistently stores raw user-provided input in plaintext log files under the user's home directory without an explicit warning, consent flow, retention policy, or data minimization. In practice, users may paste tokens, account identifiers, URLs, or other sensitive operational data, which then becomes recoverable from disk and available to anyone with local access to the account.

Ssd 3

Medium
Confidence
92% confidence
Finding
The tool is designed to retain arbitrary user input across many commands and later re-display it via search, recent, status, and export features, increasing the blast radius of any sensitive data entered once. In the context of a skill presented as follower/account tooling, operators may reasonably input social account details, URLs, webhook endpoints, or credentials, making this persistence-and-reexposure behavior materially risky.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.