DeviantArt Post

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed DeviantArt posting helper that needs OAuth credentials and can publish content to the connected account.

Install only if you want an agent to post to your DeviantArt account. Use your own DeviantArt app, grant only the scopes needed, confirm the exact file path/title/body/settings before any post, keep the local token file private, and revoke the app token if you stop using the skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill documentation describes capabilities to read environment variables, read and write local files, and make network requests, but it does not declare any permissions. That creates a transparency and governance gap: users or hosting systems cannot accurately assess or constrain what the skill can access before execution.

Missing User Warnings

Medium

Confidence: 68% confidence
Finding: The multipart upload logic reads arbitrary local file paths and transmits file contents to DeviantArt. In an agent-skill context, this is more sensitive because a higher-level prompt or tool invocation could cause unintended exfiltration of local files if path inputs are not tightly constrained and confirmed by the user.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal