Automated Tweet Scheduler

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent tweet-scheduling skill whose public-posting actions match its stated purpose, with a safety documentation gap users should notice.

Before installing, make sure you are comfortable granting it access to a social account and confirm whether it previews posts and asks before publishing or deleting scheduled content. Use limited account permissions where possible and review scheduled posts before they go live.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill describes actions that can post content, delete scheduled items, and upload media to a user's social account, but it does not warn users about account-affecting side effects or the need for explicit confirmation. In a tweet-scheduling context, these operations directly affect public-facing content and brand reputation, so missing safety disclosures increases the risk of accidental or unauthorized actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal