Back to skill

Security audit

WorkBuddy 自定义皮肤技能

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed WorkBuddy theming tool, but it modifies the installed app package and uses a scheduled task to restart the app, so it belongs in Review before installation.

Install only if you are comfortable with a skill altering WorkBuddy's installed app.asar file, closing/restarting WorkBuddy, and potentially affecting signatures or updates until you restore app.asar.bak. Prefer using it on a personal machine, review the exact target path first, keep the backup, and avoid installing on managed or policy-controlled systems without approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill instructs use of environment variables and local binaries (`$env:USERPROFILE`, custom Node path) while declaring no permissions, creating a mismatch between documented capabilities and declared access. This can mislead reviewers and users about the skill's actual reach into the host environment, reducing transparency and weakening trust boundaries.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This script creates a Windows scheduled task that runs PowerShell with ExecutionPolicy Bypass, then kills WorkBuddy and executes a deferred installer that overwrites app.asar and relaunches the app. That combination is dangerous because it establishes an OS-level execution mechanism outside normal app controls and could be abused to run modified code or persistence-like behavior, especially since the task payload is written to a temp .ps1 file.

Intent-Code Divergence

High
Confidence
92% confidence
Finding
The code comments claim the generated CSS 'does not modify any official files,' but the skill metadata explicitly states the overall skill injects skins by patching `app.asar`. In a security context, that mismatch is dangerous because it obscures that the skill achieves persistence by altering packaged application files, which can bypass normal theming boundaries, survive restarts, and make users underestimate the trust and recovery implications.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes very broad phrases such as “主题”, “皮肤”, and “改外观”, which are common in normal conversation and may cause the skill to activate unintentionally. In this skill's context, accidental invocation is more dangerous because its documented behavior includes patching `app.asar`, restarting the host application, and modifying installed program files.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The markdown describes direct modification of the host application's `app.asar`, backup/overwrite behavior, and forced restart flows, including non-interactive execution paths, without clearly mandating explicit user confirmation immediately before execution. This is dangerous because it enables destructive host-file changes and process interruption from a conversational trigger, and may also break signatures, updates, or application integrity on managed systems.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list is unusually broad and includes generic terms like '主题', 'theme', and 'customize appearance', which can match routine user requests unrelated to invasive package modification. In this skill's context, accidental activation is more dangerous because the described behavior is not a harmless UI preference change but direct modification of the application's app.asar package.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The manifest explicitly advertises performing 'minimal byte surgery' on app.asar and creating a backup, but it does not present any explicit warning about integrity risks, upgrade breakage, tamper concerns, or the security implications of altering packaged application files. This is especially dangerous because modifying app bundles can bypass normal extension boundaries, persist changes outside normal user expectations, and weaken trust in the application installation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script forcefully terminates WorkBuddy, preserves a backup, and then arranges for app.asar to be replaced with a patched copy and the application relaunched, all without any user-facing consent in this file. Modifying app.asar is effectively code tampering of the installed application, so a compromised or malicious patched archive could inject arbitrary behavior into the app while the forced stop/restart hides the transition from the user.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
This CSS replaces visible UI text with hard-coded Chinese strings via ::before/::after content and hides the original text by setting font-size to 0. In a theming skill, forcing a specific language without user choice can mislead users, reduce accessibility, and interfere with localization or policy/compliance expectations, especially if the surrounding app is not Chinese-localized.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/apply.js:42

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/asar-patch.js:134