Wenshushu File Uploader

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real file-sharing skill, but it needs Review because it can install tools and upload arbitrary local files to a public third-party service without tight user-control boundaries.

Install only if you are comfortable with third-party file sharing and automatic dependency setup. Confirm the exact file path before every upload, avoid sensitive files unless encrypted, protect any Wenshushu token, and treat pickup codes and management links as secrets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (16)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print("📦 正在安装 wssf...") try: # 使用 uv 安装 wssf subprocess.run( [UV_PATH, "pip", "install", "wssf==5.0.6"], check=True, timeout=120
Confidence: 94% confidence
Finding: subprocess.run( [UV_PATH, "pip", "install", "wssf==5.0.6"], check=True, timeout=120 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: print(f"📤 正在上传: {filepath.name} ({filepath.stat().st_size / 1024:.1f} KB)") result = subprocess.run( cmd, capture_output=True, text=True,
Confidence: 78% confidence
Finding: result = subprocess.run( cmd, capture_output=True, text=True, timeout=300 # 5分钟超时 )

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises shell-capable behavior such as automatic installation and command execution, but it does not declare corresponding permissions. This creates a transparency and policy gap: a user or platform may not realize the skill can execute system commands or alter the environment, increasing the risk of unexpected code execution and package installation.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill can install additional software during execution, which is broader than its stated purpose and increases the attack surface. In an automated agent environment, runtime installation can introduce unreviewed code, change reproducibility, and create persistence or dependency-confusion opportunities.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The README describes broad natural-language triggers such as '发文件给我' or '上传文件' without clear boundaries, confirmation requirements, or file-selection constraints. In an agent setting, this can cause unintended activation and accidental exfiltration of local files to a public file-sharing service if the assistant matches ordinary conversation too aggressively.

Vague Triggers

Low

Confidence: 76% confidence
Finding: The workflow example shows the skill activating from a simple user request but does not define guardrails for when the agent should refuse, ask clarifying questions, or require explicit file identifiers. This ambiguity increases the chance of accidental invocation, though the issue is primarily about unsafe design clarity rather than direct code execution.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README advertises automatic delivery of the management link along with the public link and pickup code, but does not clearly warn that the management link may allow deletion or administrative control over the uploaded file. Sharing that link with end users or unintended recipients expands impact from simple download access to unauthorized management of shared content.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrases are broad everyday expressions like '上传文件' and '分享文件', which can cause the skill to activate in contexts where the user did not intend external upload. In this skill, unintended activation is more dangerous because the documented action is sending local files to a third-party service.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly supports uploading arbitrary local files to wenshushu.cn and generating public download links, but it does not require a clear pre-transmission warning that file contents, filenames, sizes, and related metadata leave the local environment. Because uploads may involve sensitive workspace or system files, insufficient warning and consent can lead to accidental data exfiltration.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The description states the skill will 'automatically upload files' and generate sharing details, but it does not define when this should occur, what user consent is required, or any scope limitations. In a file-upload skill, broad automatic invocation increases the risk of unintended exfiltration of local or user-provided files to a third-party service.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The installer downloads a shell script from the network and immediately executes it with `sh`, giving remote code execution if the upstream server, transport, or fetched content is compromised. This is especially risky in an installer because users are likely to run it with trust and may not inspect the downloaded code first.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This function is designed to upload a local file to a third-party service, but it does not present an in-band warning, confirmation, or policy check about external data transfer. In a skill context, that materially increases exfiltration risk because the agent may handle confidential workspace files and automatically transmit them off-system.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script modifies the environment by installing an external package and then relies on it, without a clear warning or approval step. That is dangerous in managed agent environments because dependency installation can execute arbitrary package code and alter the runtime unexpectedly.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The documentation instructs operators to extract an authentication token from browser developer tools and persist it locally for the skill to use. This encourages handling long-lived bearer credentials outside standard authentication flows, increasing the risk of credential theft, accidental disclosure, reuse across contexts, and account compromise if the token file is exposed.

External Script Fetching

Low

Category: Supply Chain
Content: ### 方法二：手动安装 ```bash # 1. 安装 uv curl -LsSf https://astral.sh/uv/install.sh | sh # 2. 安装 wssf uv venv
Confidence: 92% confidence
Finding: curl -LsSf https://astral.sh/uv/install.sh | sh

Chaining Abuse

High

Category: Tool Misuse
Content: ### 方法二：手动安装 ```bash # 1. 安装 uv curl -LsSf https://astral.sh/uv/install.sh | sh # 2. 安装 wssf uv venv
Confidence: 94% confidence
Finding: | sh

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal