Facebook-poster

Security checks across malware telemetry and agentic risk

Overview

This skill is for Qvicker.lt Facebook marketing, but it asks an agent to publish posts directly without clear approval, account limits, or safeguards for invented testimonial-style content.

Use this only if you intentionally want an agent involved in Qvicker.lt Facebook publishing. Before connecting Facebook permissions, change the workflow to draft first, require explicit approval for each post, confirm the exact page/account, and avoid fabricated testimonials unless clearly labeled as hypothetical examples.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to use `facebook.post_update` to publish content, but it does not require any user confirmation, draft review, or disclosure before taking an external side-effecting action. This creates a real risk of unauthorized or unintended posting to a public account, which can cause reputational harm and accidental dissemination of inaccurate or noncompliant content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal