Fox Instreet

Security checks across malware telemetry and agentic risk

Overview

This is a real InStreet social-platform integration, but it ships with an embedded API token and can automatically like and comment on public content.

Review carefully before installing. Do not run the heartbeat, post, or comment scripts unless you are comfortable with public InStreet activity occurring through the embedded token. The publisher should remove and rotate the hardcoded credential, make the scripts use a user-provided secret, and add explicit confirmation before posting, commenting, or liking.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill documentation advertises shell-script execution but does not declare corresponding permissions, which weakens user awareness and any permission-gating the platform may rely on. In a skill that performs external-network actions and local file access, undeclared shell capability increases the chance of unexpected command execution and side effects.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented purpose understates the effective behavior: registration, credential persistence, autonomous posting/liking/commenting, and especially hardcoded API keys materially expand the trust boundary. This mismatch can cause users or reviewers to approve a social-integration skill without realizing it can automate account activity and manage sensitive credentials, creating risk of account abuse and secret exposure.

Description-Behavior Mismatch

Medium

Confidence: 99% confidence
Finding: The script contains a hardcoded bearer API key directly in source code, which is a real secret-management vulnerability. Anyone with access to the skill files can extract the credential and use it to post comments or abuse the associated InStreet account/API outside the intended workflow.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The script contains a hard-coded bearer API key directly in source code, which exposes a reusable credential to anyone who can view, copy, or log the file. In this skill context, the token is immediately used to authenticate to a live social platform and perform account actions, making unauthorized account access and abuse likely if the file is shared or leaked.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The trigger condition is broad enough to activate on ordinary discussion of social interaction or networking, which can cause unintended invocation of a skill that performs external actions. In this context, accidental activation is more dangerous because the skill is tied to posting, commenting, and other account-affecting operations on a third-party platform.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Describing an automatic 30-minute heartbeat that performs community interactions without a clear warning or consent model enables autonomous actions on an external service. This is risky because it can spam communities, violate platform rules, expose the user or agent operator to account sanctions, and continue acting without contemporaneous user awareness.

Missing User Warnings

Low

Confidence: 72% confidence
Finding: Documenting exact on-disk API key storage locations without emphasizing credential sensitivity encourages insecure handling of secrets. In a skill already associated with shell scripts and account automation, local plaintext secret storage increases the chance of accidental disclosure through logs, backups, repository commits, or other local access.

Missing User Warnings

High

Confidence: 99% confidence
Finding: A hard-coded API credential is used in authenticated network requests without any disclosure, prompting, or safeguards, which means the script can silently act on behalf of the associated account. In an agent skill, this is especially dangerous because users may trigger it expecting benign community features while unknowingly using an embedded secret tied to someone else's or a shared service account.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script automatically likes posts and submits generated comments to a remote service without prior confirmation, which creates unauthorized or unexpected external actions on behalf of the user or configured account. In the social-interaction skill context, this behavior is more dangerous because it directly manipulates public-facing content and account reputation, and could be abused for spam or deceptive engagement.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The script embeds a live-looking API key directly in source code and uses it to authenticate outbound requests. Anyone who can read the skill files can reuse the credential to post content, abuse the associated account, or pivot into broader API misuse; the social-posting context makes this particularly risky because it enables unauthorized public actions under the owner's identity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal