FB Personal Poster

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Facebook posting helper, but it can use live account cookies and may change photo posts to Public without a user-selected audience.

Review carefully before installing. Only use this with a Facebook account and cookie file you are comfortable granting posting access to, keep dry-run on until you verify the exact post and photos, and assume photo posts may be made Public unless the skill is changed to preserve or explicitly ask for the audience.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The photo-posting flow includes logic to edit the sharing audience and switch it to Public, which exceeds the documented behavior of merely posting text and photos. In a skill that automates posting to a personal account using live session cookies, changing privacy scope can unintentionally disclose personal content much more broadly than the user intended.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script attempts to change post visibility to Public without any explicit warning, consent, or confirmation from the user. Because this skill posts to a personal Facebook timeline and may handle private photos, silent audience expansion can cause unintended public exposure of sensitive content, which is a meaningful privacy and safety risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal