Ex Skill

Security checks across malware telemetry and agentic risk

Overview

This skill openly aims to build personas from private chats, but it also includes intrusive automatic extraction of WeChat and iMessage data that needs careful review before use.

Install only if you are comfortable granting the agent access to local message databases and possible credential-like WeChat encryption keys. Use it only on accounts and conversations you are authorized to process, avoid disabling system protections, review generated files for retained private data, and prefer manual redacted chat exports over automatic extraction.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (67)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: else: print("KEY_NOT_FOUND") """ result = subprocess.run( ["python3", "-c", f"exec({repr(lldb_script)})"], capture_output=True, text=True, timeout=30, )
Confidence: 93% confidence
Finding: result = subprocess.run( ["python3", "-c", f"exec({repr(lldb_script)})"], capture_output=True, text=True, timeout=30, )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def _extract_key_macos_keychain() -> str | None: """尝试从 macOS Keychain 获取微信密钥（部分旧版本可能存在）""" try: result = subprocess.run( ["security", "find-generic-password", "-s", "com.tencent.xinWeChat", "-w"], capture_output=True, text=True, timeout=5, )
Confidence: 95% confidence
Finding: result = subprocess.run( ["security", "find-generic-password", "-s", "com.tencent.xinWeChat", "-w"], capture_output=True, text=True, timeout=5, )

Lp3

Medium

Category: MCP Least Privilege
Confidence: 97% confidence
Finding: The skill declares no permissions while explicitly instructing the agent to run local shell commands, read sensitive local message stores, and write persistent files. This is dangerous because it conceals powerful capabilities from users and reviewers, reducing informed consent and making unauthorized data access and filesystem modification easier to trigger.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 99% confidence
Finding: The stated purpose is persona creation from chat logs, but the behavior includes decrypting WeChat databases, extracting keys from a running process, reading iMessage data, and managing persistent archives. That mismatch materially hides the true sensitivity of the skill and can facilitate covert collection of highly private communications and long-term retention beyond what a user may reasonably expect.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The documented capability goes beyond user-supplied input and explicitly supports automatic extraction and decryption of local WeChat/iMessage databases using only an identifier. In this skill context, that enables bulk access to highly sensitive third-party communications and materially increases the chance of unauthorized collection of private data.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill metadata suggests a narrow WeChat-based persona creation flow, but the body also supports iMessage extraction and lifecycle management commands such as listing, updating, rollback, and deletion. This broader operational scope increases risk because users may invoke the skill without understanding that it can access other data sources and maintain ongoing state about targets.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Automatic decryption and extraction of WeChat and iMessage databases is a highly sensitive capability, especially when driven by only a contact name, phone number, or Apple ID. In this context, the skill facilitates access to intimate third-party communications and identifiers without any built-in proof of authorization, making privacy abuse and unauthorized surveillance much more likely.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: The PRD explicitly instructs reading the local macOS iMessage database and obtaining Full Disk Access, which materially expands data access beyond the advertised WeChat-focused use case. Even if intended for local-only processing, this creates a high-risk privacy boundary crossing because the skill could access highly sensitive personal communications and potentially more data than the user expects.

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The skill is described as a persona-chat skill, but its documented commands also allow record ingestion, behavioral correction, version inspection, rollback, and deletion. This expands the effective capability surface beyond the declared purpose, making it easier for users or other agents to trigger state-changing operations without clear authorization, validation, or lifecycle controls.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The documented `/move-on ex_chuge` deletion operation introduces destructive behavior that is not part of the stated skill purpose of creating a digital persona. If exposed without safeguards, it can be invoked accidentally or maliciously to remove the persona or associated state, causing data loss or denial of service for the skill.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The documented activation command `/ex_chuge` conflicts with the manifest trigger `/create-ex`, which can cause users or calling systems to invoke the wrong capability. While this is primarily an integrity and usability problem rather than a direct exploit, inconsistent invocation guidance can lead to accidental execution of the wrong skill, confused operator behavior, or bypass of expected controls tied to the declared trigger.

Description-Behavior Mismatch

High

Confidence: 92% confidence
Finding: The skill behavior is a direct roleplay/persona prompt, not a workflow for constructing a persona from WeChat chat records as the skill metadata claims. This mismatch can mislead users about provenance and authenticity, causing the system to present fabricated traits and responses as if they were grounded in real conversation data.

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The file ships with a fully pre-authored persona profile even though the product description says the persona should be created from chat logs. In this context, that is dangerous because it encourages impersonation and false attribution of personal characteristics without evidentiary grounding from the referenced source material.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The prompt explicitly instructs users to locate decryption keys and parse WeChat PC databases, enabling extraction of private communications from a third-party messaging store. Even if framed as user-assisted import, this materially increases the capability for sensitive data access beyond minimal intake and creates clear privacy and abuse risk.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The declared skill purpose is creating a digital persona from chat logs, but this file is focused on recovering database keys from memory and decrypting WeChat databases. That mismatch is a strong indicator of concealed sensitive-data access and makes the capability materially more dangerous because users may not expect credential extraction or local database decryption.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The Windows code scans a live WeChat process and module memory to recover encryption keys, which is an intrusive credential-access technique. In the context of a consumer-facing persona tool, this is not reasonably necessary and could be used to bypass application protections and access private conversations without informed user understanding.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The macOS path attaches a debugger to WeChat, enumerates memory regions, and searches for candidate keys. This is a clear secret-extraction technique, and the surrounding guidance about disabling SIP or granting elevated access further increases risk by encouraging users to weaken system protections.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Accessing macOS Keychain to retrieve a WeChat secret is not justified by the stated persona-creation function and directly targets protected credentials. In this skill context, it broadens the attack surface from chat processing into secret retrieval, increasing the likelihood of unauthorized database decryption.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill is declared as creating a digital persona from WeChat chat logs, but this file also supports extracting iMessage data. That expands collection beyond the stated scope and can lead to unauthorized access to a second, highly sensitive message store that users may not expect this skill to touch.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code instructs users to grant Full Disk Access so it can read macOS iMessage databases, which is a powerful permission unrelated to a WeChat-only skill description. In this context, requesting elevated filesystem access materially increases the risk of over-collection and privacy harm if the skill is misused or behaves unexpectedly.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The module documentation advertises WeChat and iMessage parsing, which conflicts with the stated skill purpose and signals hidden or broader data-collection capability. In a tool built to process intimate chat histories for persona creation, scope mismatch is dangerous because users and reviewers may underestimate what personal data can be accessed.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The README normalizes automatic extraction and decryption of private chat histories without a clear consent, legality, or privacy warning. Because the skill is specifically aimed at reconstructing a real person's intimate behavior from communications, omission of such warnings increases the likelihood of misuse against non-consenting individuals.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The `/move-on` command is described euphemistically as a gentle alias for deletion, but the README does not clearly warn that it is destructive. In a system storing sensitive persona data and versioned relationship history, ambiguous destructive actions can lead to unintended data loss or unsafe assumptions about recoverability.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The README explicitly encourages users to feed private chat histories into the skill to recreate a person, but it does not provide clear consent, privacy, or data-handling warnings. Because the skill's purpose is to ingest highly sensitive interpersonal content, omission of those warnings materially increases the risk of privacy violations and misuse.

Missing User Warnings

High

Confidence: 98% confidence
Finding: Advertising automatic WeChat/iMessage extraction and decryption without strong warnings about local database access, device sensitivity, and lawful authorization normalizes invasive collection behavior. In this context, users may be encouraged to access message stores tied to another person's private communications without understanding the privacy and legal implications.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal