Back to skill

Security audit

social-reader

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it needs review because it runs an unauthenticated local review server and sends social content through third-party services with weak scoping.

Install only if you are comfortable with tweet targets and content being sent to third-party fetch providers and your configured LLM provider. Run the review server only on a trusted machine, use a limited LLM API key, avoid browsing untrusted sites while the server is running, and consider adding strict URL allow-listing plus authentication or CSRF protection before regular use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation advertises and instructs use of capabilities including environment variable access, file reads/writes, network access, and shell execution, yet no permissions are explicitly declared. This creates a transparency and consent problem: an agent or user may invoke the skill without understanding it can persist data locally, contact external services, and execute local commands.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The documented behavior goes beyond passive social-media reading into active content generation, persistent workflow state management, a local review server, browser launch, and desktop notifications. This mismatch can mislead operators about the trust boundary and operational side effects, increasing the chance the skill is used in contexts where local exposure, unwanted automation, or data retention is unacceptable.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The prompt implements content generation for opinionated social posts, while the skill metadata describes scraping, reading, patrol, distillation, and review notifications. This mismatch is dangerous because callers may grant the skill broader trust, permissions, or workflow placement based on the manifest, but the actual behavior performs a different function, creating a capability-integrity gap that can enable misuse, confusion, or policy bypass in larger agent pipelines.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The pipeline mode explicitly writes multiple local state files, starts a local HTTP review server, and opens a browser, but the documentation does not prominently warn users about persistence and host-side side effects. In practice, this can lead to accidental retention of scraped content, unintended local service exposure, and surprising UI/system modifications during execution.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code rewrites any supplied X/Twitter URL to api.fxtwitter.com and sends it to a third-party service without any disclosure, consent, or configuration guard. In a social scraping skill, this exposes user-requested targets and request metadata to an external operator, creating privacy, compliance, and data-handling risks even if the content is public.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Tweet/article content is transmitted to an external LLM service, which can expose scraped or sensitive data to a third party without clear consent, notice, or minimization. In this skill's context—social media scraping and distillation—bulk automated forwarding of content increases privacy, compliance, and data-governance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.