Back to skill

Security audit

Talos — God of Automation

Security checks across malware telemetry and agentic risk

Overview

This is a local social-media calendar generator; its main caution is that it installs a Python formatting package and saves export files in the current folder.

Install only if you are comfortable running a local Python script that installs `rich` and creates `social_calendar_*.json` and `social_calendar_*.md` files in the working directory. Prefer a virtual environment instead of `--break-system-packages`, and avoid using sensitive campaign details in shared directories because the exports will remain on disk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The embedded Python writes JSON and Markdown files to the local filesystem, but the surrounding skill description does not clearly and explicitly warn the user that execution will create persistent output files. This is not inherently malicious, but hidden file writes reduce transparency and can surprise users, especially in automated or sensitive working directories.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.