Security audit

Twitter热点监控与推文生成

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it asks for recurring Twitter/X trend monitoring with broad automatic triggers and unclear user control.

Install only if you want Twitter/X trend monitoring and draft generation, not for generic tweet writing. Configure any hourly schedule explicitly, make sure you know how to stop it, fact-check all trend claims, and avoid posting style-imitation drafts in a way that suggests affiliation with the named creators.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

High

Confidence: 95% confidence
Finding: The skill declares very broad mandatory triggers such as '帮我写推文' or '查推特热点', which can cause the agent to invoke this skill for many unrelated social-media-writing requests. That creates routing abuse risk: users may be forced into trend-monitoring, style-imitation, and platform-growth behavior they did not request, increasing the chance of unintended data access, policy-bypassing content generation, or over-collection from external sources.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal