Back to skill

Security audit

Facebook Page Manager 1.0.0

Security checks across malware telemetry and agentic risk

Overview

The Facebook Page manager mostly does what it says, but it also includes under-disclosed X/Twitter-to-Facebook digest scripts that use X session credentials, an unmanaged local binary, and Facebook posting authority.

Install only if you are comfortable granting Facebook Page publishing and moderation access. Do not provide AUTH_TOKEN or CT0, and do not run the x_digest_* scripts, unless you explicitly want the undocumented X/Twitter digest workflow and have verified the bird binary on your PATH. Review posts and moderation actions before execution, and protect or remove tokens.json when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes use of environment variables and network access but does not declare permissions for them. Undeclared capabilities reduce transparency and can bypass policy or user expectations about what the skill is allowed to access, especially when handling app secrets and tokens for an external API.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script's stated behavior is to collect tweets from X/Twitter, score them, and download tweet images, which is unrelated to the declared Facebook Page management capability. This mismatch is dangerous because it can hide undeclared data access and network activity inside a skill users and reviewers would expect to operate only on Facebook resources.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code invokes an external 'bird' CLI and injects AUTH_TOKEN and CT0 from the environment to access X/Twitter data, despite this skill being presented as a Facebook Page manager. Using unrelated auth material and external tooling in a mismatched skill increases the chance of credential misuse, hidden cross-service access, and reviewer/user deception about what secrets the skill consumes.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script materially exceeds the declared Facebook Page management scope by scraping X/Twitter, ranking third-party content, downloading media, and cross-posting it to Facebook. This broadens the skill's effective permissions and data flows beyond what a user or reviewer would reasonably expect, creating a scope-mismatch vulnerability that can enable unauthorized content sourcing, policy violations, or reputational harm.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code requires unrelated X/Twitter credentials and invokes an external 'bird' CLI to fetch content, despite the skill being presented as Facebook Page management. This hidden dependency increases attack surface and trust risk: it can exfiltrate or misuse external credentials, pull in unreviewed content from another platform, and bypass least-privilege expectations for the skill.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation exposes hide and delete comment operations without warning that these actions are destructive or potentially irreversible. In an agent context, operators may trigger moderation actions without adequate confirmation, causing unintended content removal, audit gaps, or reputational damage to the page owner.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script reads sensitive authentication environment variables and uses them for external service access without any disclosure in the skill context or manifest. In a skill advertised for Facebook management, undisclosed consumption of unrelated credentials materially raises the risk of secret exposure, unauthorized API use, and violation of least-privilege expectations.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script fetches an externally supplied image URL from tweet metadata and writes the content to /tmp without disclosure or apparent content validation. This creates unexpected network and filesystem side effects in a Facebook skill, and could be abused for unreviewed downloads, storage of untrusted content, or limited SSRF-style access depending on how URLs are sourced by the external CLI.

Session Persistence

Medium
Category
Rogue Agent
Content
## Setup (một lần)

### 1. Tạo Meta App
1. Vào https://developers.facebook.com/apps/ → Create App
2. Chọn **"Other"** → **"Business"** (hoặc Consumer tuỳ use-case)
3. Điền tên app, email
4. Vào **App settings > Basic**: lấy **App ID** và **App Secret**
Confidence
68% confidence
Finding
Create App 2. Chọn **"Other"** → **"Business"** (hoặc Consumer tuỳ use-case) 3. Điền tên app, email 4. Vào **App settings > Basic**: lấy **App ID** và **App Secret** ### 2. Cấu hình OAuth 1. Vào **Ad

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal (+1 more)

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/x_digest_collect.js:20

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/auth.js:32

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/x_digest_collect.js:14

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/x_digest_to_fb.js:27

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/auth.js:69

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
scripts/auth.js:53

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
scripts/cli.js:31

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
scripts/fb_post.js:66

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
scripts/x_digest_to_fb.js:36