social-postcjo
Security checks across malware telemetry and agentic risk
Overview
This social-posting skill is not proven malicious, but it asks users to store powerful Twitter and Farcaster private credentials while relying on posting scripts that are not included for review.
Review the actual scripts before installing or adding credentials. Use a least-privilege Farcaster signer if possible, avoid storing a custody private key unless strictly required, keep credential files owner-only, start with dry-run previews, and avoid --yes unless you explicitly want posts or replies sent without another confirmation.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
65/65 vendors flagged this skill as clean.