Back to skill

Security audit

Baoyu Post To X

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises by preparing X posts in a real Chrome session, but it includes a few broad desktop-control and process-cleanup behaviors that users should review first.

Install only if you are comfortable letting the skill control a real Chrome/X session, overwrite the clipboard during posting, and send paste keystrokes. Avoid using the automatic CDP cleanup guidance as-is; confirm any Chrome process termination first, and verify the browser focus before pasting or publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The troubleshooting guidance instructs terminating any Chrome/Chromium process matching remote-debugging-port, which is broader than the skill's operational need and can disrupt unrelated user sessions or other automation tasks. Unscoped host process management is dangerous because it acts on external processes outside the skill's owned browser instance and may cause data loss or interfere with security-sensitive workflows.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The instruction to automatically terminate Chrome CDP instances and retry without asking the user removes consent for a disruptive host-level action. This undermines the skill's otherwise approval-based safety model and can surprise the user by closing active browser automation or debugging sessions they did not intend to stop.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This helper sends real OS-level paste keystrokes to whichever application is frontmost, and on macOS can first activate an arbitrary app by name. That is broader than the stated skill purpose of posting to X, because a misdirected or malicious invocation could paste sensitive clipboard contents into another application, chat, terminal, password field, or privileged prompt. The skill context increases risk because browser/UI automation around social posting commonly handles copied credentials, tokens, drafts, or private user content, so clipboard exfiltration or unintended disclosure is plausible.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Automatically killing Chrome CDP instances without a user-facing warning is risky because it can abruptly terminate active browsing or debugging contexts unrelated to this task. The lack of advance notice and consent increases the chance of denial-of-service against the user's own workflows and may cause loss of unsaved state.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs the agent to copy user-provided images into the system clipboard and control the user's real Chrome window, but it does not clearly warn that this can overwrite clipboard contents and send keystrokes/UI actions to a live desktop session. In a skill that automates posting to a public social platform, these side effects can cause unintended data exposure, accidental interaction with other tabs/windows, or user confusion if the system focus changes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The CDP fallback explicitly relies on a persistent Chrome profile with saved login sessions, but the documentation does not prominently warn that the automation will reuse existing authenticated browser state. That increases the risk of acting as the user across real accounts without sufficient consent boundaries, especially in a posting workflow that can publish content publicly or access other session-scoped data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code reads X/Twitter session cookies directly from a live browser profile via CDP and returns them to the caller without any visible consent, notice, or minimization in this file. Even though it appears intended to verify login state, auth_token and ct0 are highly sensitive session artifacts; exposing or reusing them can enable account hijacking or unauthorized posting if other parts of the skill log, transmit, or misuse the values.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/copy-to-clipboard.ts:59

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/paste-from-clipboard.ts:107

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/x-utils.ts:90