LinkedIn Carousel Factory

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed content-drafting workflow that saves a carousel draft locally and may send a Discord status notification.

Before installing, confirm that the Obsidian path and Discord #✅-tasks channel are yours and appropriate for the topics you generate. Avoid confidential campaign topics unless you are comfortable saving them in that vault and announcing them in Discord, and check for existing draft files before overwriting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The skill instructs the agent to write output directly to a local path in the user's home/Documents tree without any explicit disclosure or consent step. Even though the content is low-risk marketing material, silent local file creation can surprise users, overwrite drafts, or leak workflow details into an unintended vault/location.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill directs the agent to post a status message containing topic information to Discord, an external service, without an explicit user warning or approval gate. This creates an unintended data egress path: even seemingly harmless topic metadata can reveal editorial plans, internal workflows, project names, or confidential campaign timing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal