weibo-post

Security checks across malware telemetry and agentic risk

Overview

This skill transparently automates posting to Weibo, but it can publish publicly from a logged-in browser profile without a required final approval step.

Review before installing. Use this only if you want an agent to post to Weibo from your logged-in browser profile. Add or enforce a final confirmation step that shows the exact account and exact post text, then requires explicit approval before clicking send.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger phrases are broad, natural-language commands for a high-impact action: publishing content to a public social media account. This increases the chance of accidental invocation from ambiguous user requests, which could cause unintended public posts under the user's authenticated Weibo session.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This skill performs an irreversible external side effect by posting publicly from the user's account, but the instructions do not clearly emphasize the account, privacy, reputational, and public-data risks. In this context, lack of explicit warning and confirmation is dangerous because browser automation can immediately publish content once triggered, leaving little opportunity to prevent mistakes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal