Automated Post

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed workflow for generating, publishing, and archiving posts, with no hidden code or unrelated behavior found.

Install if you want this agent to publish generated text and images to the configured website and then archive the post materials in Feishu. Use confirmation mode for sensitive content, verify the destination website account and Feishu document permissions, and avoid publishing or archiving confidential material unless you are comfortable with that persistence.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documents a workflow that culminates in publishing to a website, but it does not clearly warn users that confirmation mode still results in a real external publication once the final step is reached. This can cause users to approve intermediate steps without fully understanding that the skill performs an externally visible action, increasing the risk of unintended posting or reputational harm.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill specifies automatic archiving of post content and images to Feishu documents, but it does not disclose retention, visibility, sharing scope, or what data is uploaded. This creates a privacy and data-governance risk because users may not realize their generated content and images are being persisted in a third-party document system.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal