Security audit

Social Media Autopilot

Security checks across malware telemetry and agentic risk

Overview

This skill drafts social media calendars using Gemini and has some configuration/privacy hygiene issues, but its behavior is disclosed, purpose-aligned, and not malicious.

Install only if you are comfortable sending brand, audience, tone, and campaign details to Gemini. Replace the hard-coded Edwin-specific .env path with your own secret setup, review generated posts before use, and require a separate explicit approval step before any other tool schedules or publishes content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill documentation indicates access to environment data and file-writing behavior without declaring corresponding permissions or clearly constraining their use. This creates a trust and review gap: an agent may read secrets from a local .env and write outputs to arbitrary paths even though users are only told it generates a content calendar.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The stated purpose is simple content-calendar generation, but the skill also relies on a local filesystem secret source, sends data to a third-party AI provider, and can write to arbitrary output paths. That mismatch is security-relevant because users and agents may invoke it without understanding that local secrets are read, brand data is exfiltrated to an external service, and files may be created or overwritten.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: The instructions tell the agent to schedule posts after approval, expanding the skill from content generation into taking actions that affect external accounts. Even with an approval step, this is more dangerous than the declared purpose because it can cause unintended publication workflows, misuse connected social accounts, or pressure downstream automation into acting beyond the user's expectations.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill loads environment variables from a hard-coded absolute .env path and then reads an API key, which introduces unnecessary access to local secrets beyond the user-facing task of generating content. In a shared or agentic environment, this can couple the skill to a specific workstation, pull in unrelated secrets, and normalize secret access patterns that are broader than required.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The documentation discusses approval and later scheduling affecting external social accounts, but it does not prominently warn users that the workflow may lead to actions on external platforms. This can cause unsafe assumptions about the skill being purely local or draft-only, especially in agentic environments where adjacent tools may act on those instructions.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill sends user-supplied brand, niche, audience, and tone data to Google's Gemini API without an explicit disclosure at the point of use or a consent mechanism. Business descriptors, campaign plans, and target-audience information can be commercially sensitive, so silent third-party transmission creates a real privacy and data-handling risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.