Back to skill

Security audit

Cross Platform Content Syncer

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it asks for broad authority to publish, schedule, notify, analyze, and back up content across several third-party accounts.

Review before installing. Use least-privilege tokens only for the platforms you intend to sync, confirm each destination and scheduled time before publishing, keep optional Slack and Google Drive integrations off unless needed, and verify there is a way to review or cancel queued jobs and backups.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill advertises syncing, backups, analytics, Slack notifications, and Google Drive export before clearly foregrounding that user content and metadata will be transmitted to multiple third parties. In an agent setting, this can lead users to invoke the skill without understanding the breadth of external sharing, increasing the chance of unintended disclosure of drafts, private content, tokens, or engagement data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.