Back to skill

Security audit

Csdn Publisher

Security checks across malware telemetry and agentic risk

Overview

This CSDN publishing skill appears functional, but it adds under-scoped browser, credential, Telegram, Notion, and local persistence behavior that users should review before installing.

Install only if you intend to use the CSDN automation plus its Notion and Telegram integrations. Use least-privilege CSDN and Notion credentials, avoid sending login QR codes through Telegram unless you trust the bot/chat path, review where drafts and examples are stored, and consider disabling Notion duplicate checks or content reuse unless you explicitly need them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no permissions while clearly instructing use of shell commands, network access, local file reads/writes, browser automation, and credential handling. This undermines least-privilege review and informed user consent because operators cannot accurately assess what the skill will access before running it.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose says CSDN writing/publishing, but the workflow also queries Notion, configures Telegram notifications, and persists/export credentials locally. Behavior that extends beyond the stated purpose is dangerous because it can surprise users, bypass expectation-based trust, and expose unrelated data sources or authentication artifacts.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill expands into querying a Notion database for recent-news deduplication, which is outside the core publishing scope described in the manifest. Hidden scope expansion increases the chance of unnecessary access to external systems and can cause unintended disclosure of workspace data during routine use.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
Notion database querying is not obviously required for a CSDN publishing skill and introduces an additional external data plane. Unnecessary integrations increase attack surface, credential exposure risk, and the possibility of accessing business data unrelated to the user's publishing request.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This script is materially outside the stated purpose of a CSDN article-writing/publishing skill: it queries a Notion database using API credentials and returns recent entries. Such scope mismatch is dangerous because it expands the skill's access to unrelated external data sources and secrets, increasing the chance of unintended data collection or hidden exfiltration behavior under the guise of a different tool.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code accesses NOTION_KEY and NOTION_DATABASE_ID and sends an authenticated query to Notion without clear justification from the advertised skill purpose. In a skill focused on CSDN publishing, undeclared access to third-party content repositories and credentials creates unnecessary secret exposure and a covert data-access path that users may not expect.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README advertises QR-code login via Telegram without warning users that the QR image is a login artifact that may expose account access or sensitive session information if sent through a third-party messaging channel. In a browser-automation publishing skill, normalizing this flow without explicit consent and security guidance increases the chance users will leak authentication material or trust an unsafe transport path.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger conditions are broad enough to activate on ordinary writing requests, not just explicit CSDN publishing tasks. Overbroad activation can cause the agent to read style files, persist drafts, or initiate publishing-related workflows when the user only asked for generic writing help.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Sending login QR codes through Telegram transmits authentication-related material via a third-party messaging platform without a clear privacy or security warning. If the Telegram bot, chat, or recipient is misconfigured, the QR image could be exposed to unauthorized parties and facilitate account compromise.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The workflow persists article drafts to local disk but does not clearly warn users that provided content will be stored in /tmp and may remain after task completion. This can expose sensitive drafts, proprietary material, or personal data to other local users, backups, or later processes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script uses a Notion API token and sends user-supplied title/URL data to an external service without any explicit disclosure, consent flow, or visible warning. In an agent skill context, undisclosed credential use and outbound transmission can expose sensitive article metadata or source URLs and surprise users who expect only CSDN publishing behavior.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script performs a silent authenticated POST request to Notion and transmits both query parameters and a bearer token with no user-facing notice. Even though this may be intended functionality, undisclosed external transmission is risky in agent skills because it can send organizational metadata or content selection criteria to an external service without informed user awareness.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script reads a sensitive environment variable containing a Notion API key without any warning, validation, or disclosure. In isolation this is common in automation, but within an agent skill it is dangerous because users may not realize the skill expects and consumes privileged credentials unrelated to the published feature description.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to retain user article content on disk for reuse across retries, creating a persistence channel beyond the immediate session. Retained drafts can leak confidential user material if the host is shared, compromised, or later accessed by other skills or operators.

Ssd 3

Medium
Confidence
94% confidence
Finding
Saving user-confirmed final articles into a reusable examples corpus means one user's content may influence or be exposed in future interactions. This creates a cross-user data leakage risk and exceeds the immediate purpose of publishing a single article unless explicit consent and isolation controls are in place.

External Transmission

Medium
Category
Data Exfiltration
Content
)
fi

RESULT=$(curl -s -X POST "https://api.notion.com/v1/databases/$DATABASE_ID/query" \
  -H "Authorization: Bearer $NOTION_KEY" \
  -H "Notion-Version: 2022-06-28" \
  -H "Content-Type: application/json" \
Confidence
84% confidence
Finding
curl -s -X POST "https://api.notion.com/v1/databases/$DATABASE_ID/query" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2022-06-28" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
)
fi

RESULT=$(curl -s -X POST "https://api.notion.com/v1/databases/$DATABASE_ID/query" \
  -H "Authorization: Bearer $NOTION_KEY" \
  -H "Notion-Version: 2022-06-28" \
  -H "Content-Type: application/json" \
Confidence
84% confidence
Finding
https://api.notion.com/

External Transmission

Medium
Category
Data Exfiltration
Content
EOF
)

curl -s -X POST "https://api.notion.com/v1/databases/$DATABASE_ID/query" \
  -H "Authorization: Bearer $NOTION_KEY" \
  -H "Notion-Version: 2022-06-28" \
  -H "Content-Type: application/json" \
Confidence
90% confidence
Finding
curl -s -X POST "https://api.notion.com/v1/databases/$DATABASE_ID/query" \ -H "Authorization: Bearer $NOTION_KEY" \ -H "Notion-Version: 2022-06-28" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
EOF
)

curl -s -X POST "https://api.notion.com/v1/databases/$DATABASE_ID/query" \
  -H "Authorization: Bearer $NOTION_KEY" \
  -H "Notion-Version: 2022-06-28" \
  -H "Content-Type: application/json" \
Confidence
90% confidence
Finding
https://api.notion.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.