Back to skill

Security audit

Social Media Scheduler - schedule, publish, cross-post, & auto-post social media posts with text, images, video uploads, Reels, Stories, Shorts and carousels to Instagram, Facebook, Threads, LinkedIn, LinkedIn Pages, X, TikTok, Pinterest and YouTube via WoopSocial MCP for AI agents

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed WoopSocial integration for scheduling and publishing social media posts, with no evidence of hidden or unrelated behavior.

Install only if you intend to let an agent work with your WoopSocial-connected social accounts. Review the OAuth or API-key setup carefully, avoid exposing API keys in shared logs or command history where possible, and confirm account, platform, content, and timing before publishing public posts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description contains very broad activation phrases such as 'use whenever the user wants to post, schedule, queue, cross-post, bulk-schedule, draft, or auto-publish social content,' which can match common user requests too aggressively. In an agent environment, this can cause the skill to be invoked in situations where the user did not clearly intend to use this specific third-party publishing integration, increasing the risk of unintended social media actions or overbroad data sharing to the remote MCP server.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.