Repliz Api

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Repliz social media integration, but it gives an agent live posting and irreversible deletion abilities without documented confirmation safeguards.

Install only if you want an agent to manage Repliz-connected social media accounts. Use revocable, least-privilege API keys where possible, and require the agent to show the account, post/comment, schedule ID, and intended action before posting, replying, deleting, or otherwise changing live social media data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documents destructive and account-management actions, including irreversible deletion of scheduled posts, but does not instruct the agent to require explicit user confirmation before executing them. In an agent setting, this creates a real risk of unintended destructive actions from ambiguous, mistaken, or prompt-injected requests against a live social media account.

Tool Parameter Abuse

High

Category: Tool Misuse
Content: } ``` **DELETE /public/schedule/{_id}** - Delete scheduled post (cannot be recovered) ---
Confidence: 86% confidence
Finding: DELETE /public/schedule/{_id}**

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal