公众号文章创作

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent WeChat article-writing assistant, but it ships an exposed API key and performs automatic local saves plus optional image-generation code execution that users should review before installing.

Install only after reviewing and changing the workflow: revoke/remove the bundled API key, use your own credential from secure local configuration, change or confirm the save directory before any write, and require explicit approval before running the image-generation script or making network API calls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 81% confidence
Finding: The skill advertises and documents file read, file write, and network-capable behavior without any declared permission model or visible user-consent boundary. In an agent setting, this increases the chance of unexpected local file modification and outbound requests occurring implicitly, which is risky even if the stated purpose is content creation.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The documented purpose is a WeChat article-writing assistant, but the described/observed behavior extends into batch image generation, remote URL downloading, and local file saving workflows. This mismatch is dangerous because users and reviewers may authorize the skill under a benign writing pretext while it performs materially different network and filesystem actions.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The documentation exposes a live API secret in plaintext, which allows anyone with access to the skill file to reuse the credential. Embedded secrets are highly dangerous because they can be copied, abused for unauthorized API usage, and are difficult to contain once published.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to run a local Python script to generate images after user confirmation, which expands a writing assistant into code execution on the host. Even with confirmation, executing local scripts from skill content is dangerous because the script path and behavior are not constrained here, and a compromised or modified script could perform unintended actions on the user's machine.

Vague Triggers

Medium

Confidence: 72% confidence
Finding: The trigger phrases are broad enough to match common writing-related requests, which can cause the skill to activate unexpectedly. In a skill that also performs file saves and potential network actions, overbroad invocation increases the chance of unintended side effects.

Vague Triggers

Medium

Confidence: 70% confidence
Finding: The invocation examples include generic phrases like writing a public-account article or helping write a post, which are ambiguous and likely to overlap with normal conversation. This becomes more concerning because the skill is documented to automatically save files and prepare image-generation artifacts.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The workflow specifies automatic saving after article completion but does not present a clear user warning that local files will be created or modified. Silent persistence is risky in agent environments because users may expect drafting assistance, not automatic writes to disk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill hardcodes a local Windows path and mandates automatic saving there without explicit caution or confirmation. Hardcoded destinations can overwrite files, leak content into sensitive directories, or fail unpredictably across environments, making the behavior more dangerous than a user-selected save location.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The documentation includes API credentials in plaintext, which is a direct secret exposure rather than a mere documentation issue. Anyone reading the file can exfiltrate and abuse the credential for unauthorized API calls and associated costs.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs automatic saving of generated content to a fixed local directory without an explicit opt-in at the moment of write. This creates a file-system side effect beyond simple text generation and can overwrite existing files, leak sensitive content into predictable locations, or write into an environment the user did not intend to modify.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill not only exposes a live credential but also normalizes its reuse by presenting it as standard configuration. That encourages insecure distribution and operational reuse of secrets, amplifying the blast radius if the file is shared, forked, or logged.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal