Bluesky API

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Bluesky helper, but its posting quick reference has a stale credential argument that could lead to unsafe or unintended handling of a Bluesky app password.

Review before installing. Use only a Bluesky app password, provide it through a protected environment or secret mechanism, and require explicit approval before any public post. Do not follow the quick-reference form with an app password argument; prefer a corrected version where all examples and script usage agree on BSKY_APP_PASSWORD plus handle and text only.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The quick reference contradicts earlier safer guidance by showing the app password as a positional CLI argument. Passing secrets on the command line can expose them via shell history, process listings, logs, or telemetry, making credential leakage more likely in multi-user or monitored environments.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Documenting a secret as a command-line argument encourages an unsafe usage pattern that can leak the Bluesky app password to local observers or system logging. Because this skill performs authenticated posting, compromise of that secret enables unauthorized access to the associated account until the app password is revoked.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal