Back to skill

Security audit

Toutiao Publish

Security checks across malware telemetry and agentic risk

Overview

This skill is clearly meant to publish to Toutiao, but it can submit live posts from a logged-in account with broad triggers and no final user approval gate.

Install only if you intentionally want an agent to control a browser and publish to your Toutiao account. Use a dedicated browser profile or test account, review all title/body/image/declaration choices first, and avoid one-shot publishing until the skill adds draft-only mode, narrower triggers, scoped permissions, safe content escaping, and a mandatory final confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script claims it will only verify the publish flow and skip actual publishing, but it still opens the real Toutiao publish page and performs live title/body edits earlier in the test. In an automation skill, mutating production content during a supposed safe test can cause accidental drafts, contaminate user data, or trigger side effects on a real account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly promotes fully automated publishing to a public platform, including title entry, content injection, image handling, declarations, and final publish, but does not clearly warn that this performs an account-impacting public action. In an agent skill, this increases the chance of unintended posting, reputational harm, or policy/account consequences if a user invokes the skill without understanding that it can submit content live.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The usage examples encourage one-shot commands such as directly publishing articles or having AI generate and publish content, without emphasizing review, draft mode, or confirmation before submission. Because the action targets a real social publishing account, users may accidentally post unreviewed or hallucinated content publicly, causing reputational, compliance, or account-enforcement issues.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section documents a concrete automated publishing flow culminating in a real post action, but it does not prominently warn that executing the steps can create a live public publication on the user's Toutiao account. In an agent skill context, omission of an explicit confirmation/safe-mode warning increases the risk of unintended account actions, accidental public posting, and reputational harm.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The usage example shows a broad natural-language trigger and one-command publishing flow without warning that it can operate on a logged-in account and perform a real public post. This makes accidental invocation more likely, especially in assistant-driven environments where users may not realize the command is live rather than illustrative.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The primary trigger phrases are broad, everyday-language commands such as '发头条' and '发文章', which can be invoked during normal conversation without the user intending to activate an automation skill. In a skill that performs public posting, accidental activation materially increases the risk of unintended publication or content submission to a live platform.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The extended triggers include especially generic phrases like '自动发布' and '内容发布', which are ambiguous and likely to overlap with unrelated user requests. Because this skill automates posting workflows, such ambiguous activation creates a realistic path to unintended execution in the wrong context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This section promotes '完整自动化发布' and one-click publishing flows but does not warn that the action may post publicly or submit content to a live account. In the context of a publishing skill, the lack of safety messaging and confirmation increases the chance of accidental public disclosure, reputational harm, or unauthorized submission of sensitive text.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list includes broad everyday phrases like '发文章' and '写头条', which can cause the skill to activate during normal conversation without the user intending to publish content. In the context of a skill that automates submission to an external publishing platform, accidental invocation is especially dangerous because it can lead to unintended posting, account misuse, or reputational harm.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill performs a high-impact external side effect—publishing content to a live third-party account—but the description lacks a clear warning that using it can immediately post public content. In this context, missing warnings materially increase the chance of users invoking the skill without appreciating that it may publish under their logged-in identity, creating reputational, compliance, and privacy risks.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script proceeds from content generation and page manipulation directly into the final publication flow, including clicking "预览并发布" and then confirming publication, without a fresh user confirmation gate immediately before the irreversible action. Because this skill automates posting to a real publishing platform, accidental invocation, parameter misuse, or manipulated input can cause unauthorized public publication under the user's account.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.