Back to skill

Security audit

Openclaw Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PostFast API skill for scheduling and managing social media posts, with a real caution around confirming deletions before use.

Install only if you intend to let the agent manage your PostFast workspace. Treat posting, connect-link creation, media upload, and deletion as account-impacting actions; before any delete, have the agent show the post ID, platform, content summary, and scheduled time, then get your explicit confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill documents a destructive delete operation with no guidance to confirm user intent, preview the target post, or warn about irreversibility. In an agent setting, this increases the chance of accidental or prompt-induced deletion of scheduled content, especially when users ask broadly to 'clean up' or 'remove posts'.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
GET /social-posts?page=0&limit=50&platforms=X,LINKEDIN&statuses=SCHEDULED&from=2026-06-01T00:00:00Z&to=2026-06-30T23:59:59Z

# Delete post
DELETE /social-posts/:id

# Upload media (3 steps)
POST /file/get-signed-upload-urls  { contentType, count }
Confidence
93% confidence
Finding
DELETE /social-posts/:id

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.