Back to skill

Security audit

TopYappers - Creators & Viral Content Skills

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only TopYappers MCP integration whose external API use and creator-contact-data features are disclosed, but users should handle queries, API keys, credits, and emails carefully.

Install only if you intend to use TopYappers and trust its service. Use a scoped or revocable API key, watch credit usage, avoid sending confidential campaign plans or personal data as search terms, and treat any retrieved creator emails as sensitive contact data subject to consent, anti-spam, platform, and privacy obligations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly documents retrieval of creator email addresses and encourages filtering on exact email or email existence, but provides no privacy, consent, or permitted-use guidance. That creates a realistic risk of privacy misuse, unsolicited outreach, or harvesting of personal contact data through an agent workflow.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The example workflow specifically promotes finding creators with available email addresses without warning about consent, anti-spam, or privacy obligations. In an agent setting, examples strongly shape behavior, so this omission can normalize bulk contact discovery and increase the chance of misuse at scale.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends user-provided search queries and filters to a third-party remote API, but the documentation does not warn users that their inputs will leave the local agent environment. Even though the endpoint uses HTTPS, the privacy issue remains: users may unknowingly submit sensitive research topics, market intelligence, or personal data to an external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to configure an external HTTP MCP endpoint with a bearer token, but it does not clearly disclose that user queries and credentials will be transmitted to a third-party service. This can lead to unintentional exposure of sensitive prompts, account-linked usage data, or API credentials, especially in environments where users assume tools are local or platform-native.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.