Bear Blog Publisher

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it advertises, but it needs review because it can use stored credentials to publish publicly and has unclear account scoping.

Install only if you are comfortable giving the skill Bear Blog publishing authority. Prefer environment variables or runtime secret handling over plaintext config, avoid pasting passwords into chat, review drafts before publishing, and verify the /cattalk/ dashboard URLs are appropriate for your Bear Blog account before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill documentation describes capabilities that access environment variables, read and write local files, invoke shell/browser tooling, and make network requests, yet it does not declare any permissions. This undermines informed consent and sandbox/policy enforcement because operators may authorize the skill without realizing it can access credentials, local config, temporary files, and external services.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The skill's stated purpose is publishing blog posts, but the documented behavior also includes reading credentials from local config and environment variables, calling third-party AI providers, and performing additional upload/network actions. Even if these features are functionally related, failing to clearly and completely disclose them increases the risk of credential exposure, unexpected data exfiltration to external APIs, and broader-than-expected side effects during execution.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The diagram generator renders attacker-controlled title/components into HTML and opens it via a browser against a local file URL. Because user input is inserted without escaping, this can enable script execution in the browser context and unexpected access to local resources or network endpoints through Playwright automation.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The example trigger phrases are broad natural-language requests like publishing a blog from pasted markdown or generating and publishing content, which can overlap with ordinary user conversation and cause the skill to activate unexpectedly. In an agent environment, this increases the chance of unreviewed publication of user-supplied or model-generated content, creating integrity and privacy risks even if no direct code execution occurs.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README promotes AI content generation but does not clearly warn that prompts, topics, and possibly user-provided content are transmitted to third-party providers such as OpenAI or Kimi. Users may unknowingly send sensitive drafts, proprietary information, or personal data off-platform, making this a real data disclosure and compliance risk in a publishing skill that handles arbitrary text.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The example workflow instructs users to provide Bear Blog email and password through a chat assistant, but does not warn that chat systems, bots, logs, and integrations may store or expose those credentials. In the context of an automation skill, this normalizes unsafe secret-sharing and can lead to credential compromise across the chat platform, bot backend, or downstream observability systems.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The entry trigger is broad enough to activate on generic requests to write or publish blog content, which can cause the skill to be selected even when the user did not explicitly choose Bear Blog or intend to publish externally. In this skill, that matters because the tool is configured to use stored credentials and perform real publishing actions, increasing the risk of unintended external posting or platform-specific actions without clear user confirmation.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The publish flow performs a real post creation immediately using stored credentials, with no confirmation gate or dry-run mode. In an agent setting, this increases the risk of unintended external actions, spam, or reputational damage if invoked with malicious or mistaken inputs.

Missing User Warnings

Low

Confidence: 79% confidence
Finding: The image upload sends a local file's contents to a remote service without an operation-local warning or confirmation. In an agent context, that can cause unintended disclosure of sensitive local files if the image path is user- or model-controlled.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal