toutiaoAutoPublish

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to publish to Toutiao, but it can post through a logged-in browser while changing or adding content without a final approval step.

Review carefully before installing. Use only with a dedicated Toutiao browser profile, close the remote debugging port after use, avoid passing sensitive files, and require manual review of the exact final text, image, and publication settings before allowing it to publish.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill documentation exposes file-read capability via the `-f/--file` option but does not declare corresponding permissions. Undeclared local file access weakens consent and review boundaries, because an agent could read arbitrary local content and then publish or process it without the user clearly understanding that capability.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: This is a real description-behavior mismatch: the skill claims simple Toutiao posting, but the documented behavior includes attaching to an existing Chrome debugging session, reusing a logged-in browser context, altering publication-related declarations, expanding content automatically, and writing screenshots locally. Those extra capabilities materially increase risk because they enable actions on behalf of the user's authenticated account beyond the narrow expectation set by the description.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The script defines a non-user-authored default post that will be published when no content is supplied. In a publishing skill tied to a real logged-in account, this can cause unauthorized or misleading public posts and directly violates user intent by performing account actions with self-generated content.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The code silently appends substantial AI-generated text whenever the user's post is under 100 characters, materially changing the meaning and authorship of the content. In a social-media publishing context, silent rewriting is dangerous because it can publish statements the user did not approve under the user's account.

Context-Inappropriate Capability

Low

Confidence: 88% confidence
Finding: The script automatically changes publication declarations such as '声明首发/头条首发' and '个人观点，仅供参考' rather than limiting itself to posting the supplied content. These metadata changes may create false representations about originality or content classification, exposing the user to policy, trust, or compliance issues on the platform.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger conditions are broad enough to match generic requests about publishing social content or scheduled posting, which can cause unintended invocation. In the context of a skill that posts to a live external platform using the user's authenticated session, accidental triggering is more dangerous because it may lead to unauthorized or premature publication.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill lacks a clear warning that it will post to a live external service through the user's already logged-in account. That omission undermines informed consent and is particularly risky here because the skill is designed to reuse an authenticated Chrome session, making real-world account actions easy to perform immediately.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script clicks the final publish button immediately after composing content and settings, with no explicit confirmation from the user. Because posting to a live social-media account is an irreversible external side effect, lack of a final approval step increases the risk of accidental, unauthorized, or manipulated publication.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal