Back to skill

Security audit

Social Media Scheduler

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real social media scheduler, but it stores and exposes powerful posting credentials in ways users should review before installing.

Install only if you are comfortable granting the skill authority to post publicly from your accounts. Use test or least-privilege accounts first, avoid command-line secrets, protect or disable storage/queue.json and the dashboard, review every queued post before starting the daemon, and do not let agents post sensitive or unapproved content automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (27)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document explicitly states that working Moltbook credentials are stored in a local secrets file, which discloses the existence and location of usable authentication material. Even though the secret value itself is not shown, documenting active credentials in a broadly accessible research note increases the chance of accidental exposure, misuse by other components, or targeted exfiltration.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The file normalizes storing bearer-token credentials in a local JSON file without any caution about access controls, encryption, rotation, or exclusion from version control. In a skill focused on automating social-platform posting, this makes credential misuse more likely because future implementers may copy the practice without adding basic secret-handling safeguards.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The usage examples show commands that will post to live external social platforms, but they do not include a clear warning that executing them may cause real-world side effects, consume credentials, and create public content. In an agent skill context, omission of that warning increases the risk that a user or autonomous agent will run examples as if they were harmless demos.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document claims the feature is 'production ready' while also admitting live posting was not successfully tested due to API timeout. That contradiction can mislead operators into trusting unverified behavior and may cause unintended live posts, failures, or misuse of credentials in production environments.

Vague Triggers

Low
Confidence
92% confidence
Finding
The usage examples instruct users to pass raw API keys directly on the command line, which is unsafe because command-line arguments are often exposed through shell history, process listings, audit logs, and terminal recordings. In an automation or agent context, this broad credential-handling pattern increases the chance of accidental secret disclosure even if the report itself does not contain a real key.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The guide explicitly supports fetching media from arbitrary HTTP(S) URLs and states the image will be downloaded and uploaded, but provides no warning or constraints around remote fetching. In an agent context, this can enable SSRF-style access to internal services, unexpected network egress, retrieval of attacker-controlled content, or bandwidth/resource abuse if URL inputs are not tightly validated.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation encourages posting content to an external social network and provides ready-to-run commands using API keys, but it does not clearly warn that the supplied text and metadata are transmitted off-system and may become publicly visible. In an agent-skill context, this increases the chance that an agent or operator will treat the examples as routine local actions and unintentionally disclose sensitive, internal, or user-derived information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The agent code examples show subprocess execution that invokes posting scripts with credentials and content, but they omit a clear warning that running the example executes commands and transmits data externally. In an autonomous-agent environment, such examples can normalize unsafe automation patterns where unreviewed model-generated content or sensitive workspace data is sent to a public platform.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document explicitly advertises support for HTTP(S) URL media loading and cross-platform media uploads, but provides no warning that supplying a remote URL causes the system to fetch attacker-controlled content and then transmit that content to third-party services. In an agent or automation context, this omission can lead to SSRF-like fetches, unexpected data exfiltration, privacy issues, and accidental redistribution of sensitive media because users are not informed about the trust boundary crossing.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document offers a fully autonomous release flow where the agent will post to multiple external platforms, but it does not clearly warn about the public, irreversible, and account-impacting nature of those actions. In a skill context, this can cause unintended public disclosure, reputational harm, or posting under the user's identity/community presence without sufficiently informed consent.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The collaborative option states that the agent will handle Discord, Reddit, and Moltbook, but it does not prominently warn that these are public community postings initiated by the agent. This increases the risk of a user casually agreeing to collaboration without appreciating that the agent is being authorized to publish externally.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The release text normalizes scheduling and posting to multiple third-party platforms but does not explicitly warn that configured credentials will be used to automatically transmit content and media to external services. In an agent skill context, that omission can mislead operators about the trust boundary and lead to unintended publication, data disclosure, or reputational harm once the tool is configured and run.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The quick-start instructs users to place API keys, access tokens, and webhook URLs in a .env file without any notice that these are sensitive secrets requiring strict protection. This increases the chance of accidental leakage through commits, logs, screenshots, backups, or permissive filesystem access, which could let an attacker post to or otherwise abuse connected accounts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The daemon mode is presented as a routine startup step without clarifying that it enables unattended execution, automatic retries, and continued posting to external platforms after initial launch. In an automation skill, this can cause repeated or unexpected actions against real accounts, especially if content queues are wrong, credentials are overprivileged, or the daemon is left running unintentionally.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This guide explicitly directs the user to post prewritten announcements to external public platforms and frames them as ready to copy-paste, but it does not warn that the content may expose project status, operational details, affiliations, or account ownership publicly. In a skill context, this creates a social-engineering style risk: a user may publish organization-linked information or act from the wrong account without a deliberate review step.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The checklist encourages immediate copy-paste posting with language like 'Done!' and 'Just copy-paste' while omitting explicit checks for sensitive content, correctness, branding, and account selection. That increases the chance of accidental public disclosure, impersonation, or posting inaccurate claims from an official or personal account, especially because the document is written to reduce hesitation and speed execution.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation repeatedly instructs users to pass secrets such as webhook URLs, API keys, and access tokens directly as CLI arguments. On many systems, command-line arguments are exposed via shell history, process listings, audit logs, and job runners, which can leak credentials to other local users or logging systems.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill states that analytics are logged automatically and include platform, post IDs, timing, failures, and error messages, but it provides no privacy, redaction, retention, or access-control guidance. If logs contain sensitive content, identifiers, or API error details, they may become a secondary disclosure point or create unnecessary retention of user activity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The announcement promotes capabilities that can directly affect external accounts and persisted content—multi-platform posting, media uploads, analytics, retries, and automatic deletion after 7 days—without clearly warning users that enabling or running the skill may publish to live accounts and later remove scheduled or historical content. This omission increases the risk of accidental posting, unintended data disclosure, and destructive cleanup actions, especially because the messaging frames the tool as production-ready and easy to start.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document promotes automated posting to many third-party platforms and enumerates required credentials, but it does not give clear warnings about account risk, privacy implications, rate limits, accidental posting, or the sensitivity of transmitted content and secrets. In skill context, this is more dangerous because it is a promotional announcement likely to drive rapid adoption by agents/users who may treat it as production-ready without understanding operational and privacy consequences.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function sends user-provided content to an external Mastodon instance as soon as it is called, with no built-in confirmation, allowlist, or explicit indication that data will leave the local environment. In an agent-skill context, this is security-relevant because a higher-level agent could be induced to exfiltrate sensitive prompts, messages, or internal data through social posting without adequate user awareness.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The post functionality transmits user-supplied text, titles, URLs, and comments to Moltbook's external API, which is a data exfiltration/privacy boundary crossing. Even though this is the intended purpose of the integration, the file itself provides no built-in consent, disclosure, or policy guardrails to ensure callers understand that content will leave the local system and be published externally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The queue persists `post.config` directly to `storage/queue.json`, and the comment explicitly indicates this may contain webhooks or tokens. Storing secrets in plaintext on disk increases the risk of credential disclosure through local file access, backups, logs, or accidental repository inclusion, especially because there is no minimization, encryption, or warning to operators.

Credential Access

High
Category
Privilege Escalation
Content
}

/**
 * Get OAuth2 access token
 * @param {object} config - OAuth credentials
 * @returns {Promise<string>} - Access token
 */
Confidence
80% confidence
Finding
access token

Credential Access

High
Category
Privilege Escalation
Content
/**
 * Get OAuth2 access token
 * @param {object} config - OAuth credentials
 * @returns {Promise<string>} - Access token
 */
async function getAccessToken(config) {
  // Return cached token if still valid
Confidence
80% confidence
Finding
Access token

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/platforms/mastodon.js:94

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/platforms/twitter.js:103

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/test.js:54

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/upload-media.js:86