ClawHub

xfg-zsxq-skills

Security checks across malware telemetry and agentic risk

Overview

This is a real ZSXQ automation skill, but it asks users to handle full account credentials and can post, reply, read notifications, and set recurring account activity with weak guardrails.

Install only if you trust the publisher and specifically want unofficial ZSXQ account automation. Treat cookies and access tokens as passwords, avoid pasting them into visible commands or logs, verify the target group before posting, remove or override hard-coded group defaults, and do not enable scheduled checks or auto-reply behavior unless you are comfortable with recurring authenticated account actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill explicitly instructs use of shell commands, browser automation, local file reads, and environment-like secret handling, but declares no permissions. This creates a transparency and consent failure: an agent or user may authorize the skill without understanding it can execute commands and access sensitive local state such as stored configuration files.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The README materially understates the skill's capabilities compared with the manifest, omitting reply automation, browsing, notification checking, and scheduled auto-actions. This mismatch can mislead reviewers and users about the skill's true operational scope, reducing informed consent and making it easier for higher-risk automation features to evade scrutiny.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documentation embeds a real-looking access token directly in the sample config, which can normalize credential leakage and may expose an actual secret if it was copied from a live environment. In a skill that automates posting and replying with account credentials, a leaked token could allow unauthorized access to the user's ZSXQ account and actions on their behalf.

Ssd 3

High
Confidence
98% confidence
Finding
The skill tells users/agents to extract full authentication cookies from browser developer tools and reuse them for automation, including reading saved credentials from a local config file. Full session cookies are bearer secrets; exposure lets anyone impersonate the account, access private group data, post content, and potentially pivot into broader account compromise.

Ssd 3

High
Confidence
99% confidence
Finding
Passing raw cookies on the command line or in curl headers exposes credentials through shell history, process listings, logs, crash reports, and agent transcripts. In multi-user or monitored environments, this can directly leak session tokens and enable account takeover or unauthorized posting and data access.

Ssd 3

High
Confidence
97% confidence
Finding
The troubleshooting steps normalize repeatedly copying fresh cookies and updating stored configuration with live credentials. This increases the chance of credential leakage, persistent storage of sensitive session tokens in plaintext, and accidental reuse by agents beyond the user's intended scope.

Ssd 3

High
Confidence
96% confidence
Finding
The file instructs users to retrieve the access token from browser cookies and to view/store it in plain text config files, which encourages unsafe handling of bearer credentials. Because this token appears sufficient to authenticate API actions for the automation skill, exposure through screenshots, shell history, copied configs, or shared terminals could lead to account compromise.

Credential Access

High
Category
Privilege Escalation
Content
## 快速开始

### 1. 获取 Access Token

1. 登录 https://wx.zsxq.com
2. 按 `F12` 打开开发者工具
Confidence
91% confidence
Finding
Access Token

Overly Broad Trigger

Low
Category
Trigger Abuse
Confidence
87% confidence
Finding
The trigger '发帖' is very broad and can match ordinary conversation, causing the skill to activate unexpectedly. In a skill capable of posting content and reading local config/secrets, accidental invocation raises the chance of unintended actions or premature access to sensitive account state.

Overly Broad Trigger

Low
Category
Trigger Abuse
Confidence
87% confidence
Finding
The trigger '回帖' is too generic and may fire during unrelated user requests. Because the skill supports browser automation and authenticated replies, unintended activation could lead to accidental navigation, draft generation, or posting attempts in a logged-in session.

Overly Broad Trigger

Low
Category
Trigger Abuse
Confidence
83% confidence
Finding
The trigger '通知' is highly generic and may match many unrelated user intents. In a skill that can check account notifications and potentially schedule recurring tasks, accidental activation could expose private account activity or create undesired automation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal