kuaishou-login

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform a disclosed QR-login screenshot workflow, but users should treat returned QR codes and post-login screenshots as sensitive login material.

Install only if you are comfortable with the agent displaying login QR codes and account screenshots. Treat those images like temporary credentials: do not share them publicly, close or expire login prompts when finished, and avoid using the skill in shared workspaces or recorded sessions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to capture and return a scannable login QR code and a post-login screenshot. A scannable QR code can allow unintended third parties to authenticate into the user's account session, and post-login screenshots may expose account identity, session state, or other sensitive dashboard information. In this context, the screenshot behavior is the core workflow, which makes the issue more dangerous rather than incidental.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal