cross-platform-poster

Security checks across malware telemetry and agentic risk

Overview

The skill is a plausible cross-posting helper, but it also directs agents to register a paid external posting service without clear approval or credential safeguards.

Review before installing. Use it only with accounts where you are comfortable granting posting authority, keep credentials out of chat and shell history, and do not register the ClawSwarm service unless you understand who can invoke it and can enforce explicit approval for every post.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly encourages posting to multiple third-party platforms and handling API keys, bot tokens, and OAuth credentials, but provides no warning about external data transmission, credential sensitivity, or confirmation requirements. In an agent setting, this can cause unintended disclosure of user content or secrets and trigger real-world actions on external services without adequate user awareness.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal