Back to skill

Security audit

Cross-Post

Security checks across malware telemetry and agentic risk

Overview

This is a real social-posting skill, but it needs review because it can publish publicly with broad triggers and no built-in confirmation, and some documented behavior is inaccurate.

Install only if you are comfortable storing social-media API credentials locally and letting an agent publish to your accounts. Use preview first, avoid confidential drafts, and explicitly confirm destinations before posting. Be aware that the advertised default 'all platforms' command may not publish anywhere until the dispatch bug is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and instructs use of capabilities including shell execution, filesystem access, environment-variable access, network calls, and config writes, but does not declare permissions. In an agent environment, this creates a transparency and governance gap: the skill can access secrets, write persistent config, and make outbound posts without an explicit permission contract, increasing the chance of over-privileged or unintended execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented behavior does not match the actual capabilities and limitations: it claims scheduling that is not implemented and claims cross-posting to all platforms even though the all-platform path is broken. In a posting skill, this mismatch can cause users or orchestrators to rely on guarantees that are false, leading to failed publishing, partial posting, or unsafe automation assumptions around credential setup and execution flow.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code sets platforms = ["all"] when --platform all is selected, but the subsequent loop only handles twitter, reddit, and linkedin, so nothing is actually posted. This is a security-relevant integrity issue because users may rely on the tool to publish across all platforms and make decisions based on false success messaging ("Done!") when no action occurred.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough to match common language like 'post this', 'publish to social', or 'share on twitter/reddit/linkedin', which can cause unintended invocation of a networked posting skill. In context, accidental activation is more dangerous because the skill can perform real external actions on users' social accounts and may expose drafts or confidential text publicly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script will publish arbitrary provided text to external social-media services without an explicit warning or confirmation step at the point of posting. In an agent/skill context, this increases the risk of unintended public disclosure, reputational harm, or accidental transmission of sensitive information because a user may not realize the action is immediately networked and public.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.