Back to skill

Security audit

Upload Videos🎥, Photos📸 & Text🖊️ to TikTok, Instagram, YouTube, X, LinkedIn, Facebook, Threads, Pinterest, Reddit & Bluesky via Upload-Post API

Security checks across malware telemetry and agentic risk

Overview

This is a coherent social-posting API skill, but it can publish, schedule, edit, or cancel posts across connected accounts without built-in confirmation safeguards.

Install only if you trust Upload-Post with the connected accounts and uploaded content. Use a dedicated limited profile/API key, confirm the exact file or text, destination platforms, visibility, profile, and scheduled time before every publish or edit, review scheduled jobs, avoid confidential documents unless intended for posting, and rotate the API key if it is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill enables actions that can immediately publish or schedule content to connected social media accounts, but the description does not prominently warn users about that real-world side effect. This increases the risk of unintended posting, reputational harm, and accidental use with the wrong profile or platform set.

External Transmission

Medium
Category
Data Exfiltration
Content
## Upload Videos

```bash
curl -X POST "https://api.upload-post.com/api/upload_videos" \
  -H "Authorization: Apikey YOUR_KEY" \
  -F "user=profile_name" \
  -F "platform[]=instagram" \
Confidence
88% confidence
Finding
curl -X POST "https://api.upload-post.com/api/upload_videos" \ -H "Authorization: Apikey YOUR_KEY" \ -F "user=profile_name" \ -F "platform[]=instagram" \ -F "platform[]=tiktok" \ -F "video=@

External Transmission

Medium
Category
Data Exfiltration
Content
## Upload Videos

```bash
curl -X POST "https://api.upload-post.com/api/upload_videos" \
  -H "Authorization: Apikey YOUR_KEY" \
  -F "user=profile_name" \
  -F "platform[]=instagram" \
Confidence
88% confidence
Finding
https://api.upload-post.com/

External Transmission

Medium
Category
Data Exfiltration
Content
## Upload Photos

```bash
curl -X POST "https://api.upload-post.com/api/upload_photos" \
  -H "Authorization: Apikey YOUR_KEY" \
  -F "user=profile_name" \
  -F "platform[]=instagram" \
Confidence
88% confidence
Finding
https://api.upload-post.com/

External Transmission

Medium
Category
Data Exfiltration
Content
## Upload Text

```bash
curl -X POST "https://api.upload-post.com/api/upload_text" \
  -H "Authorization: Apikey YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
87% confidence
Finding
https://api.upload-post.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Upload PDFs, PPTs, DOCs as native LinkedIn document posts (carousel viewer).

```bash
curl -X POST "https://api.upload-post.com/api/upload_document" \
  -H "Authorization: Apikey YOUR_KEY" \
  -F "user=profile_name" \
  -F 'platform[]=linkedin' \
Confidence
87% confidence
Finding
https://api.upload-post.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Process media with custom FFmpeg commands:

```bash
curl -X POST "https://api.upload-post.com/api/ffmpeg" \
  -H "Authorization: Apikey YOUR_KEY" \
  -F "file=@input.mp4" \
  -F "full_command=ffmpeg -y -i {input} -c:v libx264 -crf 23 {output}" \
Confidence
96% confidence
Finding
https://api.upload-post.com/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
Response includes `job_id`. Manage with:
- `GET /uploadposts/schedule` - List all scheduled
- `DELETE /uploadposts/schedule/<job_id>` - Cancel
- `PATCH /uploadposts/schedule/<job_id>` - Edit (date, title, caption)

## Check Upload Status
Confidence
91% confidence
Finding
DELETE /uploadposts/schedule/<job_id>`

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.