Back to skill

Security audit

AI-CMO Social Media Promoter

Security checks across malware telemetry and agentic risk

Overview

This is a documented third-party marketing API skill, but users should be careful about confidential product data and platform anti-spam rules.

Install only if you are comfortable sending product names or URLs to AI-CMO's servers with your API key. Do not submit confidential launches, internal URLs, customer data, secrets, or regulated information unless you have approved AI-CMO's data handling. Treat generated comments as drafts, review every post manually, follow each platform's rules, and avoid stealth promotion or spam.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly sends a product URL/name and an API key to a third-party remote service, but the documentation does not clearly warn users that their inputs may be disclosed to and processed by an external provider. This creates a real privacy and data-governance risk, especially if users submit confidential product information, internal URLs, or sensitive campaign data under the assumption the skill is local-only.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file gives concrete advice on how frequently to analyze, when to engage, how many posts to interact with, and how to pace replies, but omits any warning about platform anti-spam rules, account enforcement risk, disclosure obligations, or reputational harm. In a skill specifically designed to identify promotion spots and generate engagement copy, that omission materially increases the chance the guidance will be used for borderline spammy or policy-violating promotional behavior.

External Transmission

Medium
Category
Data Exfiltration
Content
> Note: Analysis takes 2–4 minutes (scraping 6 platforms + AI scoring). Set your HTTP client timeout to at least 300 seconds.

```typescript
const resp = await fetch("https://www.aicmo.site/api/v1/open/analyze", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
Confidence
96% confidence
Finding
fetch("https://www.aicmo.site/api/v1/open/analyze", { method: "POST"

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.