Metricool

Security checks across malware telemetry and agentic risk

Overview

This Metricool skill appears purpose-built rather than malicious, but it can schedule public social posts using stored credentials and may choose the first connected brand automatically.

Install only if you are comfortable giving an agent Metricool authority to schedule posts on connected accounts. Use a dedicated or least-privilege token if available, keep it out of committed files, supply the exact blogId/brand and platforms for every scheduling action, and confirm the post text and scheduled time before running schedule-post.js.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 80% confidence
Finding: The skill documents use of environment variables to access Metricool credentials, but the skill metadata does not declare permissions or clearly signal that it requires secret access. This can mislead users and automated policy systems about the skill's capabilities, increasing the chance that credentials are exposed to a skill that was not transparently permissioned.

Context-Inappropriate Capability

Low

Confidence: 83% confidence
Finding: The script silently expands its credential sources beyond environment variables by reading ~/.moltbot/moltbot.json and a repository-relative .env file. In an agent skill context, this broadens access to local secrets without clear user consent and creates unnecessary secret exposure risk if the script is invoked in environments containing unrelated credentials.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The script does more than read explicitly provided environment variables: it falls back to ~/.moltbot/moltbot.json and a parent-project .env file to obtain credentials. That broadens the credential access scope beyond the apparent purpose of listing brands and can cause the tool to silently consume secrets from unrelated local contexts, violating least-privilege expectations and increasing the chance of unintended secret use.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The script silently falls back to reading Metricool credentials from ~/.moltbot/moltbot.json and a repository-relative .env file when environment variables are absent. That expands the script's credential access surface beyond what is necessary for listing scheduled posts and can cause it to consume secrets from unintended local files, which is risky in agent or multi-project environments.

Context-Inappropriate Capability

Low

Confidence: 89% confidence
Finding: The script searches for Metricool credentials not only in process environment variables but also in ~/.moltbot/moltbot.json and a parent-directory .env file. That broad credential discovery exceeds strict direct-input requirements and can cause the skill to silently consume secrets from unrelated local files, increasing the risk of unintended secret access and use in shared or multi-project environments.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README instructs users to place long-lived Metricool API credentials in common configuration files without any warning about their sensitivity, least-privilege handling, or risk of accidental disclosure through commits, logs, screenshots, backups, or shared workspaces. In a skill specifically designed to automate posting to multiple social platforms, stolen credentials could let an attacker schedule, modify, or publish unauthorized content across connected accounts.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The setup instructions tell users to place API credentials in plaintext config or .env files without any warning about sensitivity, file permissions, or avoiding source control. This creates a realistic risk of accidental credential disclosure through commits, backups, shared workspaces, or overly permissive local access.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill description emphasizes scheduling and management but does not clearly warn that supplied content may be published to third-party social platforms through Metricool. This lack of disclosure increases the risk of unintended posting, reputational damage, and accidental release of sensitive or internal information.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code accesses local config and .env files for secrets with no user-facing notice, prompt, or audit signal. In a tool/agent setting, undisclosed secret harvesting from local files violates least surprise and can cause users to expose credentials they did not intend this skill to read.

Credential Access

High

Category: Privilege Escalation
Content: } catch (e) {} } // Try .env file if (!token) { try { const envPath = path.join(__dirname, '..', '..', '..', '.env');
Confidence: 95% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: // Try .env file if (!token) { try { const envPath = path.join(__dirname, '..', '..', '..', '.env'); const envContent = fs.readFileSync(envPath, 'utf8'); envContent.split('\n').forEach(line => { const [key, ...valueParts] = line.split('=');
Confidence: 95% confidence
Finding: .env'

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal