Bijian AI Writing Expert

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Ziniao Browser bridge controller that uses a local API key and local HTTP bridge as expected for its purpose.

Install only if you intend to let the agent control Ziniao Browser through the local ZClaw bridge. Protect the ZCLAW_API_KEY, review ~/.zclaw/config.json permissions, and confirm browser/store actions before using it on sensitive accounts or transactions.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill instructs the agent to source a local config file to read API credentials and make outbound network requests, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: users or the platform may not realize the skill can access environment-derived secrets and contact external services, increasing the risk of unintended secret use or data exfiltration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal