Typefully Skill

Security checks across malware telemetry and agentic risk

Overview

This skill transparently manages Typefully drafts through the Typefully API, with the main risk being that delete and publish actions run immediately when invoked.

Install only if you are comfortable giving the skill a Typefully API key that can manage your drafts. Before deleting or publishing, have the agent show the draft ID, content, platform list, and scheduled time, and avoid the immediate publish option unless you explicitly requested it.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script performs irreversible deletion immediately once given a numeric draft ID, with no confirmation, dry-run, or safeguard. In an agent setting, a prompt misunderstanding or tool-parameter manipulation could cause unintended data loss by deleting the wrong draft silently.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal