Article Tuwen

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it automatically handles user content in ways that can affect local processes and upload generated material to Feishu without a confirmation step.

Install only if you are comfortable with a fully automatic workflow that may read provided files or URLs, generate local outputs, stop Python processes, and upload resulting files to Feishu. Avoid using it with confidential, proprietary, or regulated content unless you first modify the workflow to require confirmation before cloud sync and replace the blanket Python process kill with targeted cleanup.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (12)

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The documented workflow uploads generated outputs to Feishu cloud storage and returns a cloud URL, but the skill’s stated purpose is local article-to-social-card conversion. This introduces external data exfiltration risk for user-provided materials and generated content, especially because the step is automatic and lacks any explicit user consent or disclosure.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: The pipeline includes killing all Python processes, starting a local HTTP server, and running screenshot automation, which exceeds the minimum required behavior for content conversion and rendering. The blanket process termination is particularly dangerous because it can disrupt unrelated workloads, and the server operation expands the attack surface and operational risk without clear safeguards.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: Copying files to a Desktop path and launching Explorer are side effects unrelated to the core transformation task and can surprise users by modifying local state and opening applications. While not inherently malicious, these actions expand the skill’s authority and create unnecessary opportunities for misuse or unwanted system interaction.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The changelog explicitly advertises a zero-confirmation workflow together with Feishu cloud sync and desktop folder delivery, which indicates the skill may perform data processing and outbound/local delivery actions without an explicit user approval step. In a content-transformation skill handling URLs, files, and text, this increases the risk of unintended disclosure, overwriting local data, or sending sensitive material to external storage without the user realizing it.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly advertises a zero-confirmation pipeline that writes files locally and syncs outputs to Feishu, but it does not warn users that provided content may be processed and uploaded automatically. This creates a real privacy and data-handling risk because users may supply sensitive URLs, files, or text expecting local transformation only, while the workflow performs additional side effects without explicit consent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The quick start section tells users to paste URLs, file paths, or raw text after the trigger phrase, but omits that the pipeline may immediately process those materials and cloud-sync results. In context, this is dangerous because the trigger is optimized for one-shot use, increasing the chance that users unknowingly submit confidential data into an automated workflow with external delivery.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrase is broad and the README does not define clear activation boundaries, exclusions, or confirmation requirements. In an agent environment, this can cause accidental invocation on ordinary conversation or pasted content, leading the skill to fetch external material and start a fully automatic pipeline with file writes and uploads without sufficiently explicit user intent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill advertises a zero-confirmation flow that automatically fetches input material, writes outputs to a desktop folder, and synchronizes them to Feishu cloud storage, but it does not provide explicit warnings, consent gates, or data handling constraints. This creates a real risk of unintended exfiltration of sensitive content, especially when users supply private files, internal URLs, or proprietary text assuming local-only processing.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly mandates zero-confirmation execution while creating files on the local desktop and syncing outputs to Feishu cloud. That creates an unauthorized data-handling risk: user-provided materials may be written to disk and uploaded externally without an explicit consent checkpoint, which is especially risky if the source content contains sensitive or copyrighted information.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The instruction to force-stop all Python processes is a destructive action with no warning, scoping, or confirmation. In a real environment this can terminate unrelated development tools, servers, notebooks, or automation jobs, causing data loss or service interruption.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The cloud upload step transmits generated files to Feishu without any user-facing warning or explicit consent. Even if the files are expected outputs, they may contain sensitive source material, proprietary data, or unpublished content, so silent upload materially increases privacy and compliance risk.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: ## ✨ One-Liner Article Tuwen is a **zero-confirmation, fully automatic** pipeline: feed it URLs, files, or text, and it writes a 4000-word article, renders layouts, screenshots 5-9 social cards (1080×1440), and produces an 800-1000 char compressed text summary. No pauses, no confirmations — end to end. ## 🎯 Problem Solved
Confidence: 89% confidence
Finding: no confirmation

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal