Publer API

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Publer API helper, but it can act on live social media content when given a Publer API key.

Install only if you intend to let an agent use Publer on your behalf. Provide the API key only when needed, use the smallest necessary Publer scopes, and require the agent to show the target workspace, accounts, post IDs, content, schedule, recurrence, and deletion list before publishing, updating, deleting, or bulk-scheduling anything.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger guidance is materially overbroad: it says to invoke the skill for Publer-related requests and also for general social-media automation workflows even when the user does not explicitly mention Publer. That can cause the agent to select this skill in contexts where the user intended a different tool or no external action at all, increasing the chance of unintended API calls against live social-media resources.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill includes a destructive delete capability but does not require an explicit confirmation step before deletion. In an agent setting, that omission is dangerous because ambiguous or mistaken user requests could lead directly to irreversible removal of scheduled posts across connected social accounts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal