Publora Threads

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate Publora integration for creating or scheduling Threads posts, with real external posting risk that users should control carefully.

Install only if you are comfortable letting an agent use a Publora key for connected Threads accounts. Confirm the exact account, text, media, and scheduled time before allowing any publish or schedule action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill is explicitly designed to publish or schedule user-provided content to Threads via Publora, but the description does not clearly warn that invoking the skill sends content to an external third-party service and may create real public posts. This can lead to unintended disclosure or accidental publication if a user or downstream agent does not understand that using the skill has externally visible side effects.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal