WodeApp AI Engine

Security checks across malware telemetry and agentic risk

Overview

This looks like a real WodeApp integration, but it needs review because it combines broad hosted-project control with unclear authentication and data-retention disclosures.

Install only if you trust WodeApp with prompts, uploaded media, workflow inputs and outputs, project configurations, and generated public or semi-public URLs. Use a scoped WODEAPP_API_KEY with billing limits, avoid confidential uploads, and require explicit confirmation before publishing projects, deleting or changing project data, running workflows, or sending messages/data through Feishu, WeCom, or DingTalk. Be especially cautious with any project MCP endpoint described as unauthenticated.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (9)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The skill makes strong privacy claims that prompts and AI responses are not persisted, but elsewhere documents run-history features that save workflow executions, step states, restore points, sharing, export, and import. This inconsistency can mislead users and agents into sending sensitive data under false assumptions about retention and disclosure, creating a real security/privacy risk even if it stems from documentation drift rather than malice.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The skill substantially expands from a multimodal AI platform into organizational messaging, document access, and CRUD over enterprise systems like Feishu, WeCom, and DingTalk. That broad capability surface increases the chance of unauthorized data access, outbound messaging abuse, or privilege misuse beyond what a user would reasonably infer from the skill's stated purpose.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The manifest’s privacy section makes a narrow storage claim that conflicts with the skill’s own declared capabilities, including project creation, publishing, versioning, and workflow execution. This can mislead users about what state is persisted server-side, reducing informed consent and causing sensitive project content or configuration data to be retained unexpectedly.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The top-level description presents the skill mainly as a unified multimodal AI API, but the manifest exposes much broader capabilities including app/page building, CRUD operations, publishing, project-scoped MCP servers, and automation. That mismatch can cause users and reviewing systems to under-scope the trust boundary and approve a skill with materially broader operational reach than advertised.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The project MCP namespace includes enterprise messaging, document, and office-platform actions such as Feishu, WeCom, and DingTalk operations that are not clearly disclosed by the primary skill purpose. In context, this is more dangerous because the skill already acts as a broad remote execution and automation surface; hidden or underexplained messaging actions could be abused for data exfiltration, spam, or unauthorized business communications through connected project tools.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger scenarios are broad enough to match generic requests like writing, translation, summaries, interviews, recipes, and business copy, which can cause the skill to activate outside a clearly intended WodeApp-specific context. Over-broad activation increases the likelihood of unnecessary external transmission of user content and tool use when a local/non-tool response would suffice.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill describes intent-based activation but does not define when it should not activate, leaving the agent to infer broad default use. In practice this ambiguity can cause overreach, routing unrelated user prompts to external services and increasing privacy, cost, and consent risks.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The instructions tell agents to enumerate existing projects and directly provide project URLs by default. Exposing a user's private project inventory and access links in conversational responses can leak sensitive organizational context, names, or reachable resources to unintended viewers or logs, especially if the user did not explicitly ask for listing or sharing them.

Ssd 3

High

Confidence: 98% confidence
Finding: The documentation states that each published project exposes a project-level MCP server with 'No Auth Needed' and auto-discovers powerful tools including data CRUD, workflow execution, messaging, document access, and org-data operations. If accurate, that means anyone with the project subdomain could potentially enumerate capabilities and operate on project resources without authentication, which is a serious unauthorized access risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal