Security Audit

typefully/agent-skills:skills/typefully

github.com/typefully/agent-skills

AI SkillCommit a403e5813dd7

TRUSTED

Scanned 12 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

typefully/agent-skills:skills/typefully received a trust score of 81/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Arbitrary File Exfiltration via Tool Arguments, Configuration Hijacking via Non-Interactive Setup.

The analysis covered 4 layers: llm_behavioral_safety, manifest_analysis, static_code_analysis, dependency_graph. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 8, 2026 (commit a403e581). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

78%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

1 finding

Shell Execution

2 findings

Dynamic Code

2 findings

Security Findings2

Severity	Finding	Layer	Location
HIGH	Arbitrary File Exfiltration via Tool Arguments The `drafts:create` command accepts a `--file` argument and `media:upload` accepts a file path argument. The tool reads these files and uploads them to the Typefully API. The documentation and context imply no path restrictions (e.g., chroot or allowlist). A prompt injection attack could trick the agent into reading and uploading sensitive system files (e.g., `~/.ssh/id_rsa`, `/etc/passwd`, or the `.typefully/config.json` containing the API key) to the external service. Modify `scripts/typefully.js` to validate file paths. Restrict access to the current working directory and its subdirectories. Reject absolute paths or paths containing `..` unless explicitly authorized by the user.	Unknown	SKILL.md:185
MEDIUM	Configuration Hijacking via Non-Interactive Setup The `setup` command supports non-interactive configuration flags (`--key`, `--location`). An attacker could use prompt injection to instruct the agent to execute this command with an attacker-controlled API key. This would silently reconfigure the tool, causing subsequent drafts created by the user to be sent to the attacker's Typefully account. Disable non-interactive configuration changes when the tool is invoked by an agent, or require a separate confirmation step that the agent cannot automate.	Unknown	SKILL.md:222

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/f19509888e126221.svg)](https://skillshield.io/report/f19509888e126221)