Back to skill

Security audit

Wenshu Search - 裁判文书网搜索通用技能

Security checks across malware telemetry and agentic risk

Overview

This court-document search skill broadly matches its purpose, but it under-discloses CAPTCHA automation and decrypted site-response extraction, so users should review it carefully before installing.

Install only if you are comfortable with automated access to a protected court website that may violate site rules or anti-bot controls. Use a low-risk account, avoid full-mode bulk scraping, review dependencies first, and delete .wenshu_config.json if you do not want your account identifier and search settings retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The header claims the tool only performs normal UI actions and does not tamper with requests, but the implementation goes beyond ordinary UI automation by extracting a secret key and decrypting protected server responses. This mismatch is dangerous because it conceals materially riskier behavior from reviewers and users, reducing informed consent and increasing the chance the tool is deployed in violation of site protections or policy.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The comment says the shared version contains no personal account or password information, yet the script prompts for credentials and stores the username locally in a config file. While this is not as severe as plaintext password storage, it is still misleading and creates local privacy risk because account identifiers are persisted without prominent security controls or explicit retention guidance.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script automates CAPTCHA solving with OCR during login, which is a classic anti-automation bypass mechanism. In this context, that capability materially increases the ability to conduct unattended scraping against a protected service and undermines the site's access-control and abuse-prevention measures.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code reads a secret key from page globals or localStorage and uses it to decrypt encrypted API responses. This is dangerous because it bypasses the service's intended client-side protection boundary and enables extraction of data in a form not meant to be directly consumed by automation, making bulk harvesting and opaque access easier.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.