Social media autopilot

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward SocialEcho API helper that uses an explicit team API key to query data and publish posts when the user runs those commands.

Install only if you intend to let the agent call SocialEcho with a team API key. Review publish payloads, account IDs, status values, scheduled times, and the base URL before running publish commands, and use a least-privilege or revocable API key where possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: This skill handles a team API key and supports external API calls, upload URL retrieval, and content publishing, but it does not warn users that operational data, media metadata, or post content may be sent to a third-party service and may trigger real-world actions. In an agent context, missing disclosure increases the risk of unintended data sharing or accidental publication using privileged credentials.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal