publish to all your social media!

Security checks across malware telemetry and agentic risk

Overview

This is a Fedica browser-automation guide for scheduling social posts, with the main risk being that it can act in a logged-in public posting account.

Install only if you are comfortable letting an agent operate a logged-in Fedica account. Review the exact post text, media, target platforms, and local scheduled time before confirming any publish or schedule action, and avoid exposing broad local secret stores unless you explicitly choose that credential path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The skill explicitly tells the agent to obtain credentials from local secret stores, password managers, environment variables, and files outside the browser workflow. That broadens the skill from UI automation into local secret access, which increases the chance of unnecessary credential exposure or misuse if an agent is over-permissioned or tricked into retrieving secrets.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal