Cross-Platform Social Poster

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward social-posting guide, with expected risks around public posting and protecting bot tokens, API keys, and webhook URLs.

Install only if you intend to let an agent help publish to these accounts or channels. Review exact messages, media paths, and destinations before running commands; treat bot tokens and webhook URLs as secrets; keep .env out of version control; and verify the xurl npm package before installing it globally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to place live API credentials and webhook URLs in a local .env file and source it, but provides no guidance on protecting that file, excluding it from version control, or using a secret manager. This creates a realistic risk of accidental credential leakage through commits, logs, shell history, backups, or shared workspaces, especially because the listed secrets directly authorize posting to external services.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal