Back to skill

Security audit

Agent Social Reader

Security checks across malware telemetry and agentic risk

Overview

This skill reads and summarizes web/social content and can save results to Notion or Obsidian, with the sensitive actions generally disclosed and tied to user confirmation.

Install this only if you are comfortable with a reader skill sending requested links or media to third-party services when needed. Prefer environment variables or your agent's secure secret store for API keys, avoid saving sensitive full text to Notion unless intended, and be aware that enabling local config or auto-cleanup creates persistent preferences on the machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger phrases are extremely broad (e.g., 'read this', 'summarize', 'search for'), which can cause the skill to activate on many unrelated user requests. In an agent environment, this increases the chance the skill intercepts prompts unexpectedly and routes user data or URLs to external services without sufficiently specific user intent for this particular skill.

External Transmission

Medium
Category
Data Exfiltration
Content
if not match:
        return {"error": f"Cannot parse tweet URL: {url}"}
    username, tweet_id = match.group(1), match.group(2)
    api_url = f"https://api.fxtwitter.com/{username}/status/{tweet_id}"
    req = urllib.request.Request(api_url, headers={"User-Agent": "Mozilla/5.0"})
    try:
        with urllib.request.urlopen(req, timeout=30) as resp:
Confidence
93% confidence
Finding
https://api.fxtwitter.com/

External Transmission

Medium
Category
Data Exfiltration
Content
**Purpose**: Mandatory handling channel for all platforms not covered by free tools above.
**Primary endpoint**: `POST https://agentlensapi.io/api/v1/fetch`
**Fallback endpoint**: `POST https://agentlensapi.io/api/v1/fetch`
**Avoid by default**: `https://api.agentlensapi.io/v1/fetch` because some local proxy/fake-IP environments can fail TLS for the API subdomain while the main host works.
**Auth**: `Authorization: Bearer {AGENT_LENS_API_KEY}`

#### Supported Platforms
Confidence
96% confidence
Finding
https://api.agentlensapi.io/

External Transmission

Medium
Category
Data Exfiltration
Content
f"Content-Type: audio/wav\r\n\r\n"
    ).encode('utf-8') + audio_data + f"\r\n--{boundary}--\r\n".encode('utf-8')
    req = urllib.request.Request(
        "https://api.openai.com/v1/audio/transcriptions",
        data=body,
        headers={
            "Authorization": f"Bearer {api_key}",
Confidence
98% confidence
Finding
https://api.openai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
"Ask the user whether to save the summary only, or use batched PATCH append requests."
        )
    if target_type == "database":
        url = "https://api.notion.com/v1/pages"
        payload = {
            "parent": {"database_id": target_id},
            "properties": {
Confidence
94% confidence
Finding
https://api.notion.com/

External Transmission

Medium
Category
Data Exfiltration
Content
}
        method = "POST"
    else:
        url = f"https://api.notion.com/v1/blocks/{target_id}/children"
        payload = {"children": children}
        method = "PATCH"
Confidence
94% confidence
Finding
https://api.notion.com/

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
If either is true → prompt user:
> "Temp media files are accumulating. Options: (A) Delete now / (B) Auto-delete after each task / (C) Keep for now"

- If user chose **(B)** auto-delete previously → silently clean up without asking
- After any cleanup → always confirm what was deleted (file count + bytes freed)

### Cleanup Rules
Confidence
90% confidence
Finding
without asking

Session Persistence

Medium
Category
Rogue Agent
Content
## ⚠️ Workspace Rules

**CRITICAL: Never create or modify files directly inside the agent's default workspace unless the user explicitly asks for a workspace artifact.**
- Use `/tmp/` for all temporary outputs and transient cache.
- Use `~/.agent-social-reader/config.json` for long-term local configuration when the current agent does not provide a native secret store.
- Prefer environment variables for secrets. Never print, log, summarize, or commit full API keys/tokens.
Confidence
95% confidence
Finding
create or modify files directly inside the agent's default workspace unless the user explicitly asks for a workspace artifact.** - Use `/tmp/` for all temporary outputs and transient cache. - Use `~/.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.