Back to skill

Security audit

Social Draftsmith

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed social media drafting and publishing skill that can post publicly using configured account credentials, so it should be used only with explicit publish approval.

Install only if you want the agent to help prepare and optionally publish social posts through your own configured accounts. Keep credentials least-privileged and private, run dry-runs first, and verify the exact account, platform, text, image, and subreddit/page before allowing any live publish command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Tainted flow: 'upload_url' from requests.post (line 95, network input) → requests.post (network output)

Medium
Category
Data Flow
Content
upload_url = 'https:' + upload_args['action'] if upload_args['action'].startswith('//') else upload_args['action']
        upload_fields = {item['name']: item['value'] for item in upload_args['fields']}
        with open(args.image_file, 'rb') as f:
            upload_resp = requests.post(upload_url, data=upload_fields, files={'file': f}, timeout=60)
        upload_resp.raise_for_status()

        # Step 1: create a self post
Confidence
89% confidence
Finding
upload_resp = requests.post(upload_url, data=upload_fields, files={'file': f}, timeout=60)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and documents executable publishing integrations that rely on environment credentials, local file handling, and network access, but it declares no corresponding permissions. That mismatch is dangerous because it obscures the skill's real capabilities from reviewers and users, increasing the chance of unauthorized posting, credential misuse, or file exfiltration if the skill is invoked in an environment where those capabilities are available.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This script performs a live publishing request to Facebook with post content and credentials as soon as it is run without --dry-run, with no interactive confirmation or explicit user-facing warning at the point of network transmission. In an approval-first social-posting skill, that weakens the intended safety boundary and increases the chance of accidental publication or unintended use of privileged page credentials.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script performs a live post when called without --dry-run, but it contains no built-in confirmation prompt, approval token, or other user-facing safeguard before publishing. In the context of a social-posting skill, this is more dangerous because accidental or unauthorized invocation can immediately publish content to a public account, causing reputational or operational harm.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.