Social Publisher

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a formatter/simulator, but it presents real social publishing and image upload as supported while also asking users to configure platform credentials.

Treat this version as a preview or formatting simulator. Do not provide real social-platform credentials unless the publisher clarifies which integrations are actually implemented and how secrets are protected.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The documentation states that real publishing and credential-based operation are supported, while the roadmap says the real platform APIs are not yet implemented. This mismatch can mislead users into supplying sensitive credentials or assuming publication behavior and safety properties that do not actually exist, increasing the risk of secret exposure, unsafe testing, or operational mistakes.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The feature list advertises image upload support, but the roadmap says image upload is not yet implemented. Users may provide local image paths or API credentials expecting uploads to occur, creating confusion around data handling and potentially causing accidental disclosure of files or secrets once the skill behavior changes or is misunderstood.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal