Social Post

Security checks across malware telemetry and agentic risk

Overview

This skill can publish public posts and spend a funded Farcaster wallet, but it also has anti-spam evasion features, hard-coded external dependencies, and under-scoped third-party data sharing that need review before use.

Review before installing. Use only dedicated low-risk social accounts, avoid the --vary feature for platform-evasion use, inspect the unbundled Twitter helper and farcaster-agent repo first, keep only a small Farcaster wallet balance, do not shorten private URLs, and do not upload sensitive images through the Farcaster image path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (29)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill declares powerful capabilities (environment access, shell execution, and network operations) but does not explicitly declare permissions or scope boundaries. That weakens user awareness and policy enforcement, making it easier for the skill to access secrets, invoke external services, and perform side effects without clear consent expectations.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose is social posting, but the skill also handles wallet balance checks, paid-cast estimation, third-party media hosting, and URL shortening. These extra behaviors expand the trust boundary to financial operations and external data disclosures, which can surprise users and lead to unintended spending or leaking content to unrelated services.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The changelog explicitly markets functionality to evade Twitter/X duplicate-content detection, which is an anti-spam control. A social posting skill may legitimately support multi-account posting, but deliberately varying text to bypass platform safeguards crosses into abuse-enabling behavior and can facilitate spam, coordinated inauthentic posting, and policy evasion.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: Including instructions to fund a Base-chain custody wallet and spend USDC introduces financial operations beyond a typical social-posting workflow. In context, that broadens the skill from content publishing into payment-backed blockchain activity, increasing risk of unintended asset movement or social engineering around funding steps.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill uploads arbitrary local image files to third-party anonymous hosting services (catbox.moe and uguu.se) before posting to Farcaster. This creates a real data-exfiltration risk because user-supplied local files are transmitted outside the Farcaster platform to unrelated services, with no trust boundary enforcement, retention guarantees, or code-level warning about where the data is going.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The function silently sends every detected URL in post text to TinyURL, which is a third-party service not mentioned in the skill description. This leaks user-provided link data and creates an undocumented external dependency, which is especially risky in a social posting tool that may handle private campaign, tracking, or pre-publication URLs.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: This code exfiltrates URLs extracted from user text to TinyURL even though the skill's stated purpose is posting to X/Twitter and Farcaster, not sharing content with unrelated services. In context, social posts may contain sensitive or unpublished links, so sending them to a third party can disclose business intent, identifiers, or access URLs before the user expects.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The script reads a local Farcaster credentials file to extract a custody wallet address, then uses that wallet information to inspect on-chain balances. That behavior is adjacent to billing/funding rather than the advertised posting/replying capability, so it expands the skill's access to sensitive local data without clear disclosure or necessity. In an agent skill context, hidden credential-derived inspection is risky because users may not expect a social posting tool to touch wallet-related files at all.

Description-Behavior Mismatch

Medium

Confidence: 80% confidence
Finding: The script calculates USDC balance, estimates remaining paid casts, and prompts the user to fund the custody wallet, which introduces billing/funding behavior not reflected in the stated skill description. This mismatch is dangerous because undeclared monetization or wallet-management logic can mislead users about what the skill does and normalize interaction with payment infrastructure they did not consent to expose.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script sources credentials from a hard-coded local path (/home/phan_harry/.openclaw/.env), creating an unnecessary dependency on a specific user's filesystem and expanding the skill's credential access beyond its declared posting function. This is dangerous because any execution of the image-reply path implicitly reads local secrets, and a tampered .env file or unexpected deployment environment could alter behavior or expose credentials.

Natural-Language Policy Violations

High

Confidence: 98% confidence
Finding: This section describes an auto-variation feature whose stated purpose is to avoid duplicate-content detection. That is a direct evasion capability against an anti-spam mechanism, making the skill materially more dangerous in context because it automates small mutations specifically to preserve posting intent while avoiding enforcement.

Natural-Language Policy Violations

High

Confidence: 99% confidence
Finding: The feature list plainly advertises bypassing Twitter's anti-spam duplicate-content blocker. Explicit promotion of control-evasion strongly indicates the capability is intended to defeat a protective mechanism rather than support normal posting, increasing the likelihood of spam or coordinated abuse at scale.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README states that Farcaster images are uploaded to catbox.moe, a third-party public hosting service, but does not clearly warn users that uploaded images may become publicly accessible outside Farcaster and may be retained by an external provider. In a social-posting skill, this omission matters because users may assume images are handled only within the target platform, leading to unintended disclosure of sensitive or private media.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The `--shorten-links` feature sends URLs to TinyURL, but the description does not prominently warn that user-supplied URLs and possibly campaign metadata are disclosed to a third party. This creates a confidentiality and privacy risk, especially if links contain sensitive tokens, internal hosts, or tracking parameters.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Farcaster image posting relies on public third-party hosting, but the skill does not prominently disclose that images are uploaded externally and become publicly accessible. That can expose sensitive screenshots, metadata, or private media to unintended audiences and services.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The code sends the contents of a local path directly to external hosts via curl without any explicit user-facing warning in the implementation. In an agent skill context, this is dangerous because users may believe they are only posting to Farcaster, while the skill actually transfers file contents to additional third parties, increasing privacy and confidentiality risk.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The request uses plain HTTP to tinyurl.com, so user URLs are transmitted without transport security and can be observed or modified by network attackers. Combined with the lack of disclosure, this creates both a privacy leak and an integrity risk, since a man-in-the-middle could return a malicious shortened URL that would then be inserted into the post.

Natural-Language Policy Violations

High

Confidence: 98% confidence
Finding: The file explicitly implements content mutation to 'avoid duplicate content detection,' which is an evasion capability rather than a normal formatting feature. In the context of a social-posting skill for X/Twitter and Farcaster, this materially increases the risk of spam, platform policy abuse, ban evasion, and scaled deceptive posting across multiple accounts.

Missing User Warnings

Low

Confidence: 77% confidence
Finding: The script accesses a hardcoded local credentials file containing wallet-related data with no runtime disclosure, consent prompt, or configurability. Even though it only reads the custody address here, silently depending on a sensitive file path increases privacy risk and makes it easier for broader credential access to be introduced later.

External Transmission

Medium

Category: Data Exfiltration
Content: echo "Checking balances on Base..." echo "" ETH_BALANCE_WEI=$(curl -s -X POST "$BASE_RPC" \ -H "Content-Type: application/json" \ -d "{\"jsonrpc\":\"2.0\",\"method\":\"eth_getBalance\",\"params\":[\"$CUSTODY_ADDRESS\",\"latest\"],\"id\":1}" \ | jq -r '.result')
Confidence: 86% confidence
Finding: curl -s -X POST "$BASE_RPC" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: fi # Check USDC balance (6 decimals) USDC_BALANCE_RAW=$(curl -s -X POST "$BASE_RPC" \ -H "Content-Type: application/json" \ -d "{\"jsonrpc\":\"2.0\",\"method\":\"eth_call\",\"params\":[{\"to\":\"$USDC_BASE\",\"data\":\"0x70a08231000000000000000000000000${CUSTODY_ADDRESS:2}\"},\"latest\"],\"id\":1}" \ | jq -r '.result')
Confidence: 86% confidence
Finding: curl -s -X POST "$BASE_RPC" \ -H "Content-Type: application/json" \ -d

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: # Reply to both platforms (same message) scripts/reply.sh --twitter 123456 --farcaster 0xabc123 "This is exactly right 🎯" # Quick reply without confirmation scripts/reply.sh --twitter 123456 --yes "Quick acknowledgment" # Dry run to preview reply
Confidence: 76% confidence
Finding: without confirmation

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: - `--shorten-links` - Shorten URLs to save characters - `--truncate` - Auto-truncate if over limit - `--dry-run` - Preview without posting - `-y, --yes` - Skip confirmation prompt (auto-confirm) #### For `reply.sh` (replying)
Confidence: 79% confidence
Finding: Skip confirmation

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: - `--shorten-links` - Shorten URLs to save characters - `--truncate` - Auto-truncate if over limit - `--dry-run` - Preview without replying - `-y, --yes` - Skip confirmation prompt (auto-confirm) ## Examples
Confidence: 79% confidence
Finding: Skip confirmation

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: - `--shorten-links` - Shorten URLs to save characters - `--truncate` - Auto-truncate if over limit - `--dry-run` - Preview without posting - `-y, --yes` - Skip confirmation prompt (auto-confirm) #### For `reply.sh` (replying)
Confidence: 79% confidence
Finding: auto-confirm

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal