youmind-tumblr-article

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a Tumblr publishing workflow, but it includes an under-disclosed command that can delete Tumblr posts from a connected account.

Review this skill before installing if you connect a real Tumblr account. It can publish, read engagement/follower information, reorder or shuffle the queue, and also delete posts even though deletion is not prominent in the main description. Use it only with a YouMind/Tumblr account where you are comfortable granting that level of authority, and check local draft storage under ~/.youmind if drafts may contain private material.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill invokes Node-based CLI commands and documents use of API keys and connected Tumblr accounts, which implies filesystem, environment, and network access without an explicit permission declaration. That creates a transparency and policy-enforcement gap: users and hosting platforms may not realize the skill can access local config and perform authenticated network actions such as publishing or account inspection.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The skill description understates its effective power relative to the documented workflow: beyond writing/publishing, it can inspect account state, manipulate queue/order, validate local credentials, persist drafts locally, and the finding indicates delete capability as well. When state-changing or account-inspection behaviors are broader than advertised, users may grant trust or invoke the skill without understanding it can modify content, access local config, or affect connected social accounts.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The reference exposes capabilities that go beyond the manifest’s declared scope, including follower listing, notifications, account limits, queue shuffling, and post deletion. This creates a scope-expansion risk: an agent triggered for publishing or notes review could access or perform additional actions the user did not reasonably expect, increasing the chance of privacy-invasive reads or destructive state changes.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill metadata says it is for writing/publishing Tumblr posts, reviewing notes/activity, and queue control, but the CLI also exposes a followers enumeration command that is not disclosed. This creates a capability mismatch that can surprise users and enable collection of follower identity/profile data beyond the declared purpose, increasing privacy and consent risk.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill description does not mention deletion, yet the CLI exposes a destructive delete command. Hidden destructive functionality violates least surprise and can be abused by an agent or prompt chain to remove Tumblr content without the user understanding that the skill is capable of deletion.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Post deletion is not aligned with the stated purpose of publishing, review, and queue control, so its presence materially expands the skill's authority beyond what users would reasonably expect. In an agent setting, this hidden destructive action raises the risk of unauthorized content loss from prompt injection, operator error, or misuse of connected account permissions.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The code persists generated Tumblr post content to local disk in `saveLocalDraft`, including a fallback write outside the home directory (`../output`). Local file writes are not clearly required by the manifest's stated purpose of publishing/reviewing Tumblr content, and they create unnecessary data persistence that could expose sensitive draft content, private prompts, or unpublished material to other local users, backup systems, or unintended directories.

Session Persistence

Medium

Category: Rogue Agent
Content: ## Draft Location Rule **Canonical:** write local adapted drafts to `~/.youmind/articles/tumblr/<slug>.html`. This shared home directory is available to all YouMind skills — see [`shared/YOUMIND_HOME.md`](shared/YOUMIND_HOME.md). **Legacy fallback** (if `~/.youmind/` is not writable): `skills/youmind-tumblr-article/output/<slug>.html`.
Confidence: 87% confidence
Finding: write local adapted drafts to `~/.youmind/articles/tumblr/<slug>.html`. This shared home directory is available to all YouMind skills — see [`shared/YOUMIND_HOME.md`](shared/YOUMIND_HOME.md). **Legac

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal