Back to skill

Security audit

Posta

Security checks across malware telemetry and agentic risk

Overview

This social-media automation skill is purpose-aligned, but it needs Review because it can affect live accounts and has under-scoped credential and mutation safeguards.

Install only if you are comfortable giving the skill access to your Posta-connected social accounts. Prefer a revocable POSTA_API_TOKEN over email/password, avoid shared machines, review any /tmp token/response caching risk, and require a visible preview plus explicit approval before scheduling, publishing, deleting media, exporting analytics, or calling third-party AI generation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly relies on shell execution and environment-variable access (`curl`, `jq`, sourcing shell scripts, reading credentials from env/files), yet no explicit permissions are declared. This creates a transparency and policy gap: users or the hosting agent may invoke code-capable behavior without a clear permission boundary, increasing the chance of unintended credential use and network actions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation description is extremely broad, covering content creation, generation, uploads, scheduling, publishing, analytics, and account management across many platforms. In an agent ecosystem, such broad matching can cause the skill to activate for generic social-media requests and gain access to credentials, shell, and external posting workflows when a narrower skill would suffice.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow includes a destructive action (`posta_delete_media`) immediately after listing and filtering media, but does not instruct the agent to obtain explicit user confirmation or verify that the target media is truly unused. In a social-media management context, accidental deletion can permanently remove assets needed for scheduled posts, analytics, or future reuse, causing integrity and availability loss.

Missing User Warnings

Low
Confidence
73% confidence
Finding
The analytics export example triggers CSV/PDF exports without telling the user that files will be generated and potentially written to disk or downloaded. While less severe than deletion, silent export actions can leak sensitive business metrics into local storage, shared environments, or downstream tooling without informed user consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example workflow creates a non-draft post with a concrete `scheduledAt` timestamp and no warning, confirmation step, or emphasis that this will publish to real connected social accounts. In a skill specifically designed to manage and publish social content, this increases the chance of accidental real-world posting, reputational harm, or unauthorized account activity if copied verbatim by users or downstream agents.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script writes the authentication token to /tmp/.posta_token, a predictable shared filesystem path, without setting restrictive permissions or using a safer per-user runtime directory. On multi-user systems or weakly configured environments, this can expose reusable bearer credentials to other local processes or users.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The script saves API responses to /tmp/.posta_last_response and intermediate /tmp files, which may persist remote data on disk longer than expected and in a predictable location. While this is less severe than token storage, responses may include account metadata, analytics, or other sensitive API content that should not be globally exposed.

External Transmission

Medium
Category
Data Exfiltration
Content
**Generate an image with fal.ai (FLUX):**
```bash
# fal returns a hosted image URL (JSON), not raw bytes
RESULT=$(curl -s -X POST "https://fal.run/fal-ai/flux/schnell" \
  -H "Authorization: Key ${FAL_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
91% confidence
Finding
curl -s -X POST "https://fal.run/fal-ai/flux/schnell" \ -H "Authorization: Key ${FAL_KEY}" \ -H "Content-Type: application/json" \ -d

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: posta
description: Post to Instagram, TikTok, LinkedIn, YouTube, X/Twitter, Facebook, Pinterest, Threads and Bluesky from your terminal. Create posts with AI-generated images and captions, upload media, schedule or publish instantly, view analytics, and manage all your social accounts — without leaving your editor. Use this skill when the user wants to create social media content, generate images/videos/text with AI, upload media, create posts, schedule or publish posts, view analytics, compare post performance, or manage social accounts through Posta.
license: MIT
homepage: https://github.com/STGime/posta-skill
metadata:
Confidence
74% confidence
Finding
Create posts with AI-generated images and captions, upload media, schedule or publish instantly, view analytics, and manage all your social accounts — without leaving your editor. Use this skill when

Session Persistence

Medium
Category
Rogue Agent
Content
**Required:** `FAL_KEY` environment variable.

- **Get a key:** Sign up at https://fal.ai and create a key at https://fal.ai/dashboard/keys
- **Key format:** `<key_id>:<key_secret>` (contains a colon)
- **Auth header:** `Authorization: Key ${FAL_KEY}`
- **Auto-discovery:** The skill searches env vars, `~/.posta/credentials`, and `.env` files (dedicated config only — shell profiles are never read)
Confidence
88% confidence
Finding
create a key at https://fal.ai/dashboard/keys - **Key format:** `<key_id>:<key_secret>` (contains a colon) - **Auth header:** `Authorization: Key ${FAL_KEY}` - **Auto-discovery:** The skill searches e

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.