Rss To Social

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but its documentation overstates automatic social publishing while the included script only prints drafts and can still mark items as handled.

Review before installing. Treat the current implementation as an RSS draft generator, not a verified auto-poster. Do not provide social-media credentials or schedule unattended runs until the publishing path, approval controls, rate limits, and local history behavior are corrected.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: Test mode explicitly promises that no posts will be saved, but it still calls fetch_feeds(), which updates and persists last_check history. In an automation workflow, this can silently mutate state during dry runs, causing operators to miss content, make incorrect audit assumptions, or suppress future processing based on misleading persisted state.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The invocation examples use broad natural-language commands like starting monitoring and auto-posting without defining guardrails, approval requirements, account scope, or feed constraints. In agent environments, vague triggers can cause unintended autonomous actions, including repeated posting or activation against sensitive accounts, especially when credentials are present in the environment.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The scheduler/automation documentation encourages recurring execution every few hours but does not specify exclusions, safety checks, maximum frequency, duplicate prevention guarantees, or failure behavior. That makes accidental spam, repeated posting, or unattended misuse more likely when the skill is connected to external platforms and long-lived credentials.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill description promotes automatic publishing to external social platforms but does not clearly warn users that stored credentials may be used to post content without manual review. In this context, lack of a prominent warning increases the risk of surprise external actions, reputational damage, and misuse of connected social accounts.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation lists sensitive API keys and access tokens without accompanying guidance on secure storage, least privilege, rotation, or the risks of automatic posting. This can lead users to place secrets in insecure environments or overprivileged tokens, increasing the blast radius if the workspace, logs, or environment variables are exposed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal