Security audit

Neta Community

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a normal Neta community browsing guide, but it can use an account token to like, favorite, comment, and follow without clear confirmation rules.

Review before installing. Only provide NETA_TOKEN if you trust the Neta CLI package and are comfortable with an agent acting on your Neta account. Use it read-only by default, require explicit confirmation before liking, favoriting, commenting, following, or unfollowing, and avoid saving feed responses or debug logs unless you can protect and delete them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (16)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill metadata and instructions explicitly say not to use this skill for taxonomy or keyword-level research, yet the same document exposes tag research, hashtag info, character search, and collection lookup commands. This creates routing ambiguity that can cause the agent to invoke the wrong skill, bypass intended capability boundaries, and perform broader data retrieval than the user or system expects.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The document tells users to avoid this skill for systematic research, but later references 'research flow and analysis methods' and 'tag research' within the same skill. Contradictory guidance weakens policy enforcement and makes it easier for an agent to justify using this skill outside its declared boundary, which can undermine least-privilege skill selection.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The documentation instructs users to invoke `make_image` from a community skill whose stated scope is browsing and interacting with community content, not content generation. This scope expansion can cause an agent to select or execute capabilities outside user expectations and policy boundaries, increasing the chance of unauthorized or unsafe actions.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The file recommends tag-based character research even though the skill metadata explicitly says this skill should not be used for taxonomy or keyword-level research. Contradictory guidance can misroute agent behavior, bypass intended skill separation, and lead to overbroad data exploration beyond the approved use case.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document explicitly scopes itself to hashtag research commands, but later instructs users to invoke unrelated character lookup, search, and image generation commands. This kind of scope drift can cause an agent to use capabilities outside the approved skill boundary, increasing the chance of unintended actions and privilege overreach.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The guidance moves from passive community research into active content creation, including instructions to create based on research. In a skill described as community browsing and interaction only, this can mislead the agent into taking actions outside intended scope and blur trust boundaries between read-only discovery and generative operations.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Including an image generation command in a community browsing skill introduces an unjustified active capability not supported by the skill's stated purpose. If an agent follows this documentation, it could invoke content generation tools unexpectedly, causing unauthorized actions, policy bypass between skills, or expansion from low-risk browsing into higher-risk creation workflows.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The activation description uses broad phrases like 'see what people are making' and 'scroll the feed,' which can overlap with many generic browsing intents. Overbroad triggers increase the chance of accidental activation, causing the agent to select a skill with authenticated community interaction features when a narrower or read-only capability might have been more appropriate.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The instructional examples describe broad tasks like viewing the community and interacting with works, but do not clearly define boundaries against adjacent skills or safer read-only flows. This ambiguity can lead to unintended invocation and escalation from simple browsing into account-affecting actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill encourages performing likes and other interactions without warning that these are authenticated, account-affecting actions. In an agent setting, this can cause unauthorized or surprising mutations to a user's account state if the tool is invoked from an ambiguous request or without explicit confirmation.

Missing User Warnings

Low

Confidence: 72% confidence
Finding: The prerequisite instructs users to set NETA_TOKEN but provides no guidance on secure credential handling, storage, or redaction. While not an exploit by itself, normalizing unsafe token handling increases the risk of accidental exposure through shell history, logs, screenshots, or copied examples.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The caching examples write API responses containing character metadata and image URLs to local files without warning about retention, access controls, or sensitive content handling. While not directly exploitable on its own, this encourages insecure storage practices that can expose user activity or fetched content to other local users, logs, backups, or downstream tooling.

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The document recommends writing fetched data to local files without noting persistence, retention, or sensitivity considerations. While the data appears to be ordinary research output, undocumented local writes can still create privacy, storage, or operational risks in agent environments that assume ephemeral handling.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation instructs users to write interactive feed responses to /tmp, which is commonly shared and may be readable by other local users or exposed through debugging, backups, or support collection workflows. Because these responses can contain personalized recommendations, identifiers, and session continuity data such as biz_trace_id, the example normalizes insecure handling of potentially sensitive user data.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The guidance recommends enabling DEBUG=* for the CLI without warning that verbose logs may include request parameters, response bodies, UUIDs, and session identifiers. In a community feed skill, that can expose personalized content and user-linked metadata to terminal history, CI logs, shell transcripts, or shared support artifacts.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documentation exposes commands that perform account-affecting social actions such as liking, favoriting, following, and posting comments, but it provides no warning or confirmation requirements before acting on the user's behalf. In an agent setting, this can lead to unintended engagement, spammy behavior, or reputational/account impact if the agent executes these actions without explicit, per-action user consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal