Back to skill

Security audit

携程笔记全自动发布

Security checks across malware telemetry and agentic risk

Overview

This skill is for Ctrip posting, but it can control a logged-in Chrome session and modify a live publishing page with weak scoping and unclear confirmation boundaries.

Install only if you are comfortable letting this skill operate Chrome while logged into Ctrip. Use a separate browser profile if possible, review all generated text and images yourself, and do not allow final publishing unless you explicitly approve the exact post.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
activate
        end tell
        '''
        subprocess.run(['osascript', '-e', script])
        time.sleep(2)
        
    def navigate_to_publish_page(self):
Confidence
82% confidence
Finding
subprocess.run(['osascript', '-e', script])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
end tell
        end tell
        '''
        result = subprocess.run(['osascript', '-e', script], capture_output=True, text=True)
        if result.returncode != 0:
            print(f"⚠️ 导航警告: {result.stderr}")
        print("🚀 已导航到携程发布页面")
Confidence
86% confidence
Finding
result = subprocess.run(['osascript', '-e', script], capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
end tell
        end tell
        '''
        result = subprocess.run(['osascript', '-e', script], capture_output=True, text=True)
        return result.stdout.strip()
        
    def fill_title(self, title):
Confidence
94% confidence
Finding
result = subprocess.run(['osascript', '-e', script], capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill describes network access, local file writes to /tmp/openclaw/uploads/, and execution of browser automation/CDP-based code, but it does not declare corresponding permissions or safety boundaries. Undeclared capabilities are dangerous because users and hosting platforms cannot accurately assess what the skill may access or modify, especially when it can download external content and drive a logged-in browser session to publish content.

Tp4

High
Category
MCP Tool Poisoning
Confidence
85% confidence
Finding
The skill claims fully automatic publishing, image search, upload, and publish-button execution, but the finding indicates the actual implementation does not fully perform those actions and has undisclosed platform constraints. This mismatch is security-relevant because users may grant trust or approvals based on inaccurate claims, causing unsafe assumptions about what the automation will do, how it runs, and what manual review steps are skipped.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrases include broad everyday requests such as '发布到携程' and '帮我发到携程', which can overlap with normal conversation and unintentionally invoke a high-impact publishing workflow. Because this skill can automate content creation and submission in a logged-in account, accidental triggering increases the chance of unauthorized or unintended posts.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill advertises automatic downloading of images, uploading them, and clicking the publish button, but it does not describe any mandatory user confirmation, preview, or risk warning before taking those irreversible external actions. In the context of a logged-in travel platform account, this can lead to unauthorized posting, copyright/compliance issues from externally sourced images, and reputational damage from publishing incorrect or unreviewed content.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The description '携程笔记发布技能' is overly broad and does not clearly limit when the skill should be invoked or what user authorization and content constraints apply. For an automation skill that can search images, fill content, upload media, and publish posts, vague metadata increases the chance of unintended or overly broad activation, which can lead to unauthorized posting, spammy behavior, or misuse in the wrong context.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.