Security audit

OpenQuok Core

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed OpenQuok social-posting helper; it can affect connected social accounts, but the sensitive actions fit its stated purpose.

Install this only if you want an agent to help manage OpenQuok-connected social channels. Treat it as capable of posting, scheduling, uploading media, deleting queued posts, changing draft/scheduled status, and reading analytics through your authenticated workspace. Avoid using confidential, private, or embargoed media URLs unless you understand the public-fetch requirement and provider timing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation instructs users to make media publicly fetchable over HTTPS so TikTok can retrieve it, but it does not explicitly warn that this exposes the media to anyone with the URL and may create privacy, confidentiality, or premature disclosure risks. In a social-post scheduling skill, users may upload embargoed, internal, or personal media, so omitting that warning can lead to unintended public exposure even if the platform requirement itself is legitimate.

VirusTotal

46/46 vendors flagged this skill as clean.

View on VirusTotal