Genviral - Social Media Automation

Security checks across malware telemetry and agentic risk

Overview

The skill is a legitimate Genviral social-media automation wrapper, but it gives agents persistent authority to post publicly and delete content without enough approval or safety gates.

Install only if you intend to let an agent manage real Genviral-connected social accounts. Before enabling cron or defaults, use review/draft-only workflows, explicitly choose allowed account IDs, protect and rotate the API key if exposed, and require human approval for live posts and deletions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script sources ${HOME}/.config/env/global.env from outside the skill directory, which executes arbitrary shell code in that file with the script's privileges. In an agent setting, this expands trust beyond the skill bundle and can silently import or execute attacker-controlled content if the global env file is modified or shared across tools.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README explicitly promotes cron-based autopilot for generation, review, posting, analytics, and strategy updates across connected social accounts, but it does not pair that capability with a clear warning about autonomous external actions, account impact, rate-limit/platform-policy risks, or the need for explicit operator approval. In an agent-skill context, that omission materially increases the chance of unintended posting, misuse of linked accounts, and silent collection or processing of account analytics/data.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The documented delete commands are destructive and lack any warning, confirmation, or safe-operating guidance. In an agentic setting, this increases the risk of accidental bulk deletion of posts or content through misinterpretation, prompt injection, or user ambiguity, especially because the command supports multiple IDs at once.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill sends files, captions, account identifiers, analytics data, and potentially brand context to external APIs and CDN endpoints, but the description does not prominently warn about this data transmission. In this skill's context, external sharing is core functionality, so failing to surface privacy implications can lead users or agents to expose sensitive media, account metadata, or campaign data without informed consent.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The file explicitly instructs users to automate generation, posting, and review of social media content without any warning, confirmation gate, or discussion of risks from autonomous publishing. Because this skill is designed to act on external accounts and publish publicly, unattended scheduling increases the chance of accidental posting, brand damage, policy violations, or misuse if prompts or upstream content are wrong.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The daily cron message contains a direct instruction to 'Post to the default account' as part of an unattended pipeline, with no explicit confirmation, environment check, or warning that this will affect a real social media account. In context, this is more dangerous because the skill's purpose is full content pipeline automation across public platforms, so a misconfigured default account or low-quality/generated content could be published automatically at scale.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The legacy full-pipeline flow can culminate in creating draft posts on external platforms without any interactive confirmation or dry-run gate. For an automation skill that can publish or queue social content, missing an approval step increases the risk of unintended outbound actions, reputational damage, and misuse by prompt or parameter manipulation.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Bulk deletion of posts is performed immediately once IDs are supplied, with no confirmation prompt, preview, or safe mode. In agent-driven contexts this makes destructive actions easy to trigger accidentally or through parameter abuse, potentially deleting large amounts of user content.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The setup instructs users to add a combined public ID and secret API credential to an environment file for persistence, but gives no guidance on secret storage, file permissions, or avoiding commits to source control. In an automation skill that can create posts, manage media, and access analytics across multiple social accounts, leakage of this key could enable unauthorized account actions and content abuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal