微信公众号自定义主题生成器

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow WeChat CSS theme generator, with its local CSS file creation disclosed and aligned with its purpose.

Before using it, choose a specific output filename such as theme.css, ask the agent not to overwrite existing files without approval, and review any generated CSS or external HTTPS resources before publishing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The skill explicitly states it will generate CSS and save it as a local file, but it does not require user confirmation or present any warning about filesystem modification. While the intended behavior is part of the skill's normal function, silent file creation can still cause unintended overwrites or violate user expectations in agentic environments.

Missing User Warnings

Low

Confidence: 95% confidence
Finding: The workflow instructs the agent to write generated CSS into a local file in the current directory without any confirmation, path restriction, or overwrite protection. In an autonomous agent context, this creates a real safety issue because file writes are side effects that may alter the workspace unexpectedly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal