X Twitter Post Publisher

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to publish X/Twitter posts, but it can post publicly from a logged-in account and points to a missing PowerShell script.

Review before installing. Only use this with an explicit rule that the agent must show the exact post text, selected markdown label, and active X/Twitter account, then receive clear approval before clicking Post. Also verify or replace the missing publish-x-post.ps1 script before running any PowerShell command.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill automates an irreversible external action—posting to a public social media account—without requiring an explicit confirmation step immediately before submission. In an agent setting, this increases the risk of accidental, premature, or context-confused posting from the user's authenticated account, which can cause reputational harm and unintended disclosure.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal