Typefully
Security checks across malware telemetry and agentic risk
Overview
This looks like a legitimate Typefully posting skill, but it should be reviewed because it can manage public social posts and has an under-disclosed API endpoint override that could redirect API keys and content if set.
Install only if you want an agent to create, edit, schedule, or publish Typefully posts for connected social accounts. Keep TYPEFULLY_API_BASE unset unless you intentionally trust that endpoint, review the selected social set and final content before scheduling or publishing, and be aware that setup may store your Typefully API key in local or global config.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
64/64 vendors flagged this skill as clean.