Back to skill

Security audit

Social Media Manager

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent social media helper, but it can direct public posts and scheduled posts without explaining account access, approvals, previews, or cancellation controls.

Before installing, confirm which social accounts it can access, where credentials are stored, and whether every post or scheduled post requires explicit approval with exact content and platform list. Use it only with preview, draft, and cancel controls for scheduled posts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly supports posting and scheduling content to external social media platforms, which can trigger real actions on connected user accounts. Failing to warn users about external publication, account impact, and possible disclosure of content/metadata creates a meaningful transparency and consent risk, especially for an agent skill that may be invoked with little friction.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.