Back to skill

Security audit

ViralNote

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed ViralNote API helper that can schedule posts and import media with a user-provided API key, with no hidden execution or exfiltration found.

Install only if you intend to let an agent operate your ViralNote account. Use the narrowest API-key scopes needed, keep the key in VIRALNOTE_API_KEY rather than chat or files, and review captions, platforms, media, URLs, timing, deletes, publishes, webhook changes, and API-key changes before allowing the agent to proceed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README encourages users to schedule posts and import external media through an agent skill, but it does not clearly warn that these actions can create or modify content on third-party social accounts or pull untrusted external data into the user's media library. In an agent context, this omission increases the risk of users invoking consequential actions without understanding that the skill can perform real-world side effects across multiple connected platforms.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.