Dataify Facebook Profile By Url

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Dataify integration for submitting Facebook profile collection tasks, with expected token and network use for that purpose.

Install only if you intend to submit Facebook profile collection jobs through Dataify. Be aware that it can use a saved DATAIFY_API_TOKEN and send profile URLs to Dataify, so confirm the target URLs and make sure you have authorization and a legitimate basis for collecting the profile data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill explicitly instructs the agent to read a locally saved environment variable (`DATAIFY_API_TOKEN`) and make outbound network requests, yet no declared permissions are present. This creates a permission-boundary mismatch: an operator may not realize the skill can access secrets and transmit data off-host, which increases the risk of unintended secret use or unauthorized external requests.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill enables implicit invocation but the manifest does not define narrow trigger constraints or concrete invocation examples, increasing the chance that the agent will call the skill on loosely related prompts. Because this skill submits external Dataify tasks for Facebook profile collection, an over-broad invocation surface can cause unintended scraping actions, privacy-sensitive processing, or token-backed API usage without sufficiently explicit user intent.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: - If the user provides a token in the request, use it for this run. - If no token is provided, first check whether `DATAIFY_API_TOKEN` is already saved locally in the environment. - If `DATAIFY_API_TOKEN` is saved locally, use it without asking the user to re-enter the token. - If no token is available locally, tell the user they need to provide a Dataify API TOKEN. - If the user does not have an API TOKEN, tell them they can register or log in at `https://dataify.com/login` to get one. - If the user already has an API TOKEN, tell them it is available in the top-right area of `https://dataify.com/dashboard/`.
Confidence: 83% confidence
Finding: without asking

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal