Content Workflow Engine

Security checks across malware telemetry and agentic risk

Overview

This content automation skill appears purpose-aligned, but it needs Review because it can run live publishing workflows and includes under-scoped command execution and sensitive-input logging risks.

Install only if you are comfortable reviewing workflows before running them. Use test accounts first, provide least-privilege API keys, avoid passing secrets in workflow inputs, and treat any live publish, scheduled post, newsletter send, or auto-response as an externally visible action that should require explicit approval.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The wrapper builds a shell command string with `python3 "${scriptPath}" ${args.join(' ')}` and executes it via `exec`, which invokes a shell. Because `args` come from user-controlled CLI input and are concatenated without escaping or validation, an attacker can inject shell metacharacters to execute arbitrary OS commands, not just the intended Python script.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The runner accepts an arbitrary tool name from the workflow definition and, if it is not in the built-in allowlist, dynamically loads and executes a Python module from the local tools directory. That creates an extensibility path where untrusted or insufficiently governed workflow files can trigger execution of code outside the declared content-workflow scope, effectively turning workflow configuration into code selection and increasing the risk of unauthorized capability use or arbitrary code execution via planted modules.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The listing promotes automated publishing, scheduling, newsletter sending, and API-key driven integrations across external services, but it does not clearly warn users that the skill can perform real actions on third-party accounts and process potentially sensitive audience or analytics data. In a marketplace listing, this omission can mislead users about operational risk, increasing the chance of unintended posts, unwanted email sends, or over-broad credential use once the skill is installed and configured.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill instructs users to store API credentials and automate publishing, email distribution, and analytics collection across third-party services, but it does not warn about privacy, consent, or data-sharing risks. In this context, content drafts, subscriber data, engagement metrics, and tokens may be transmitted to external platforms without adequate disclosure or safeguards, creating risk of privacy violations and credential mishandling.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: This code forwards arbitrary CLI arguments directly into a shell-executed command without quoting or sanitization, so input such as `;`, `&&`, backticks, or `$()` can break out of the intended argument context and run attacker-supplied commands. The lack of any warning is secondary; the core issue is command injection through unsafe subprocess construction.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide describes automated publishing to WordPress/Medium/Ghost and automated distribution to social platforms and communities, but it does not prominently warn that these actions can post to live public accounts and create irreversible external side effects. In an agent skill context, this increases the risk of accidental publication, spam, reputational harm, or misuse of connected accounts if a workflow is run with real credentials or insufficient approval gates.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The document promotes automated creation, scheduling, publishing, and monitoring across external social media accounts, but it does not clearly warn that these actions can cause real public posts, account activity, and brand-impacting changes. In an agent skill context, this omission is dangerous because users or downstream agents may treat the workflow as low risk and trigger actions against production accounts without explicit confirmation or sandboxing.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The engagement management section documents automated responses without warning that replies may be posted publicly and may speak in the user's or organization's brand voice. This creates risk of unintended public statements, reputational damage, and accidental disclosure or mishandling of sensitive interactions if auto-response rules are too broad or incorrectly configured.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script prints the full input payload to stdout and also stores input_data verbatim in the generated report file. In a content automation workflow, inputs may contain API keys, unpublished content, customer data, campaign plans, or other sensitive business information, so this behavior can leak secrets to logs, terminals, CI systems, shared report directories, or later readers of saved artifacts.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal