content-pipeline

Security checks across malware telemetry and agentic risk

Overview

This skill is a content workflow helper, but it can automatically publish to social media without clear approval or account-scope controls.

Install only if you intentionally want an agent to coordinate content creation through social publishing. Use stage-by-stage mode, review generated event files and final media/captions, verify the connected social account, and avoid `--skip-review` or full auto-publish unless you have separate approval and rollback controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill describes a workflow that culminates in publishing to Instagram/SNS, including in auto mode, without a prominent upfront warning that it performs an external side effect. In an agent context, hidden or insufficiently signposted external actions can cause unintended public posting, reputational damage, or disclosure of draft/sensitive content before review.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal