Environment variable access combined with network send.
- Code
- suspicious.env_credential_access
- Location
- scripts/typefully.js:16
Security audit
Security checks across malware telemetry and agentic risk
This looks like a legitimate Typefully posting skill, but it should be reviewed because it can manage public social posts and has an under-disclosed API endpoint override that could redirect API keys and content if set.
Install only if you want an agent to create, edit, schedule, or publish Typefully posts for connected social accounts. Keep TYPEFULLY_API_BASE unset unless you intentionally trust that endpoint, review the selected social set and final content before scheduling or publishing, and be aware that setup may store your Typefully API key in local or global config.
64/64 vendors flagged this skill as clean.
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal