Back to skill

Security audit

Skill to manage a facebook page

Security checks across malware telemetry and agentic risk

Overview

The skill can manage Facebook Pages as advertised, but it also includes undisclosed X-to-Facebook digest scripts that use X session cookies and can publish selected content to a Page.

Review carefully before installing. Use it only if you are comfortable granting Facebook Page tokens that can publish, delete posts, and moderate comments. Do not provide AUTH_TOKEN or CT0 X cookies unless you intentionally want the hidden X digest workflow, and consider removing the x_digest scripts. Protect and periodically revoke or rotate the stored Facebook tokens, and confirm target IDs before hide/delete actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documents use of environment variables and network access but does not declare permissions, which weakens transparency and reviewability. In an agent setting, undeclared capabilities can cause users or orchestrators to grant broader trust than intended and make misuse of secrets or outbound requests harder to detect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
A description-behavior mismatch is security-significant because it can conceal materially different data flows and credential use from reviewers and users. If the underlying skill also accesses X/Twitter via external CLI and cookies, downloads third-party content, and cross-posts it, then it is handling additional accounts, tokens, external content, and automation risks far beyond simple Facebook Page management.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This script performs X/Twitter content collection and image downloading for a Clawdbot/Moltbot digest, which is unrelated to the declared Facebook Page management purpose. Such capability mismatch is dangerous because it can hide unauthorized data collection or exfiltration logic inside an apparently benign skill, especially when it uses separate credentials and external services not disclosed by the manifest.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code invokes an external `bird` executable with X/Twitter auth tokens to query unrelated third-party data, which is unjustified for a Facebook Page management skill. Hidden subprocess execution expands the attack surface, can bypass expected API controls, and may enable covert use of sensitive environment credentials in ways users and reviewers would not expect from the skill description.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script fetches remote image URLs from tweet metadata and writes them to local disk without any relation to the stated Facebook Page functionality. This is dangerous because it introduces undeclared outbound network access and local file creation, which can be abused for tracking, resource consumption, or staging unwanted content on the host under the cover of an unrelated skill.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file header explicitly states that it collects tweets for a Clawdbot/Moltbot digest, directly contradicting the Facebook Page management description in the manifest. This strong intent mismatch is a red flag for deceptive packaging: code for an unrelated objective may be smuggled into the skill to gain execution and credential access under false pretenses.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This script materially exceeds the declared Facebook Page management scope by scraping X/Twitter, ranking third-party content, and republishing it to Facebook. In a skill that users would reasonably trust to only manage Facebook assets, this hidden cross-platform collection and reposting behavior creates an unexpected data-flow and content-posting capability that could be abused for unauthorized aggregation, brand misuse, or policy-violating automation.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script invokes an external CLI to search X and passes sensitive X authentication cookies from the environment into that subprocess. This is dangerous because a Facebook-only skill has no clear need to hold or forward third-party session credentials, and any compromise or unexpected behavior in the external binary could expose those cookies or use them for unauthorized account activity.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Documenting hide/delete comment commands without warning or confirmation guidance increases the chance of accidental destructive moderation. In an agent-driven workflow, a mistaken target ID or ambiguous instruction could irreversibly remove or suppress user content and create audit, trust, or compliance issues.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to store long-lived/page tokens on disk but does not warn about local credential persistence risks. Tokens saved under a predictable path can be stolen by other local users, malware, backups, logs, or accidental file sharing, enabling unauthorized posting and moderation on Facebook Pages.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This reference documents authenticated Graph API operations that can read sensitive page data and perform destructive actions such as deleting posts or comments, but it provides no safety guidance, confirmation requirements, or warnings about irreversible effects. In an agent skill context, such omission increases the risk that downstream tooling or prompts will execute impactful actions without adequate user awareness or authorization checks.

Session Persistence

Medium
Category
Rogue Agent
Content
## Setup (một lần)

### 1. Tạo Meta App
1. Vào https://developers.facebook.com/apps/ → Create App
2. Chọn **"Other"** → **"Business"** (hoặc Consumer tuỳ use-case)
3. Điền tên app, email
4. Vào **App settings > Basic**: lấy **App ID** và **App Secret**
Confidence
61% confidence
Finding
Create App 2. Chọn **"Other"** → **"Business"** (hoặc Consumer tuỳ use-case) 3. Điền tên app, email 4. Vào **App settings > Basic**: lấy **App ID** và **App Secret** ### 2. Cấu hình OAuth 1. Vào **Ad

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal (+1 more)

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/x_digest_collect.js:20

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/auth.js:32

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/x_digest_collect.js:14

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/x_digest_to_fb.js:27

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/auth.js:69

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
scripts/auth.js:53

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
scripts/cli.js:31

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
scripts/fb_post.js:66

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
scripts/x_digest_to_fb.js:36