Back to skill

Security audit

RelayAPI

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent RelayAPI social-media management integration, but it gives agents broad authority over public posts, account connections, messages, webhooks, and destructive actions without enough scoping or confirmation guidance.

Install only if you intend to let the agent manage real social accounts through RelayAPI. Use a least-privilege RelayAPI key where possible, prefer connecting accounts through RelayAPI's own browser/dashboard flows, and require explicit confirmation before posting, deleting, unpublishing, disconnecting accounts, sending messages, changing webhooks, or performing follow/retweet/bookmark actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill includes account-connection flows that ask the agent to broker OAuth, app-password, bot-code, and authorization-code based onboarding for external social accounts. That materially expands the trust boundary from managing already-connected accounts to acquiring new credentials or auth artifacts, which can enable credential harvesting, mishandling of sensitive tokens, or unauthorized account linkage if triggered in the wrong context.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The Twitter follow/retweet/bookmark endpoints exceed the declared unified posting and management purpose and permit externally visible engagement actions that can manipulate third-party accounts or reputation. Scope creep like this increases the chance of unintended or socially harmful actions being executed under an overbroad activation or ambiguous user request.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation text uses broad phrases like social media posting, scheduling, analytics, inbox, comments, and webhooks, which are common in normal conversation and can cause unintended invocation. Because the skill can perform externally visible and destructive operations, accidental activation materially raises the risk of unauthorized API actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents destructive and externally visible actions such as delete, retry, and especially unpublish without requiring strong user-facing warnings or confirmation. In a social media context, these operations can remove public content across multiple connected accounts and create irreversible business or reputational damage if triggered mistakenly.

External Transmission

Medium
Category
Data Exfiltration
Content
# Returns: { "auth_url": "https://twitter.com/i/oauth2/authorize?..." }

# Step 2: After user authorizes, exchange the code
curl -X POST https://api.relayapi.dev/v1/connect/twitter \
  -H "Authorization: Bearer $RELAYAPI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "code": "the_auth_code_from_callback" }'
Confidence
86% confidence
Finding
https://api.relayapi.dev/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.