Back to skill

Security audit

Postqued API

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only PostQued API helper whose sensitive actions are expected for social media uploading and publishing, though users should confirm every upload or post.

Install only if you intend to use PostQued from your agent. Keep POSTQUED_API_KEY scoped and private, verify the exact file, caption, account, privacy setting, intent, and dispatch time before any upload or publish call, and prefer draft mode unless you explicitly want direct publication.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger description is broad enough to activate on general social-media posting tasks, not just explicit PostQued API requests. In an agent environment, that can cause the skill to be selected unexpectedly and lead to unintended external API use, content publication, or account operations without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill provides step-by-step instructions for uploading media, querying platform accounts, and publishing content to an external service, but it does not warn that user content, captions, account identifiers, and scheduling metadata will be transmitted off-platform. In agentic use, this omission increases the risk of silent data exfiltration or unintended posting to linked social accounts.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Start upload session
curl -X POST https://api.postqued.com/v1/content/upload \
  -H "Authorization: Bearer $POSTQUED_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
89% confidence
Finding
curl -X POST https://api.postqued.com/v1/content/upload \ -H "Authorization: Bearer $POSTQUED_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "filename": "video.mp4", "contentType

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Start upload session
curl -X POST https://api.postqued.com/v1/content/upload \
  -H "Authorization: Bearer $POSTQUED_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
89% confidence
Finding
https://api.postqued.com/

External Transmission

Medium
Category
Data Exfiltration
Content
--data-binary @video.mp4

# Confirm upload
curl -X POST https://api.postqued.com/v1/content/upload/complete \
  -H "Authorization: Bearer $POSTQUED_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
90% confidence
Finding
https://api.postqued.com/

External Transmission

Medium
Category
Data Exfiltration
Content
**For images** (direct upload):

```bash
curl -X POST https://api.postqued.com/v1/content/upload-image \
  -H "Authorization: Bearer $POSTQUED_API_KEY" \
  -H "Content-Type: multipart/form-data" \
  -F "file=@image.jpg"
Confidence
94% confidence
Finding
https://api.postqued.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### Step 2: Get Platform Account ID

```bash
curl https://api.postqued.com/v1/platform-accounts?platform=tiktok \
  -H "Authorization: Bearer $POSTQUED_API_KEY"
# Response: { "accounts": [{ "id": "account-uuid", "username": "@user", ... }] }
```
Confidence
87% confidence
Finding
https://api.postqued.com/

External Transmission

Medium
Category
Data Exfiltration
Content
**Important:** Always include a unique `Idempotency-Key` header (valid 24h).

```bash
curl -X POST https://api.postqued.com/v1/content/publish \
  -H "Authorization: Bearer $POSTQUED_API_KEY" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: unique-uuid-per-request" \
Confidence
97% confidence
Finding
https://api.postqued.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.