Kiro X Publisher

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent, but it can publish and schedule automatic posts to X using write-capable account credentials without a separate approval step.

Review carefully before installing on any important X account. Use search/draft mode first, provide OAuth write credentials only when you intend to publish, inspect generated text before posting, and avoid enabling the cron job unless ongoing automatic public posts are acceptable and you know how to remove the schedule.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill metadata declares required binaries and environment variables but does not explicitly declare permissions for network access, local file writes, and environment/secret access. This weakens transparency and consent, making it easier for users or orchestrators to approve a skill without realizing it can access tokens, write outputs, and contact external services.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The description understates several sensitive behaviors: use of a third-party enrichment service, authentication probing, local file output, and scheduled automatic posting via cron. This mismatch is dangerous because users may authorize the skill for passive analysis while it actually persists data, reaches additional external services, and can automate public actions on their behalf.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill advertises a --post mode that can directly publish to X without any warning about the irreversible public nature of the action or the need for explicit review before posting. In this context, the danger is elevated because the workflow generates content automatically from external signals, so a user could unintentionally publish inaccurate, harmful, or reputation-damaging content.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: When run with --post, the script performs a live auth probe and then attempts to publish to X immediately, with no interactive confirmation, dry-run safeguard, or explicit warning at the posting point. In an agent/automation context, this increases the risk of unintended external actions, including accidental publication of generated or attacker-influenced content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal