Weibo Manager

Security checks across malware telemetry and agentic risk

Overview

This Weibo automation skill has a real approval workflow, but it also includes under-disclosed account deletion, sensitive screenshot sharing, plaintext session cookies, and command-injection-prone shell calls.

Install only after review if you are comfortable giving it reusable Weibo session cookies and Feishu access. Before use, remove or disable the undocumented delete and diagnostic scripts, replace shell-built execSync calls with argument-array subprocess APIs, protect cookies.json, and require explicit confirmation before publishing, deleting, uploading screenshots, or processing local image files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (18)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: On error, the script uploads a local screenshot of the authenticated Weibo session to an unrelated external Feishu sender via a shell command. Those screenshots can contain private account data, post contents, usernames, or other sensitive page state, and the transfer happens without explicit user consent or tight scoping to minimal diagnostic data.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script deliberately enables stealth browser automation against a live Weibo profile, which is a sensitive capability because it is designed to evade bot detection while interacting with an authenticated web session. In the absence of a clearly justified security-testing or scraping context, this increases the risk of unauthorized access, covert data collection, and policy evasion.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code reads cookies from a local file and reuses them to impersonate an existing logged-in session on Weibo. Session cookie reuse is highly sensitive because anyone who can supply or access that file can access account-scoped content without re-authentication, and the script provides no validation, consent, or scope limitation.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The code builds shell commands with interpolated values and executes them via execSync, including attacker-influenced input from TARGET_CHAT_ID and structured message content. If those values contain shell metacharacters or quoting breaks, this can lead to arbitrary command execution in the environment running the skill.

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The dependency list includes `puppeteer-extra-plugin-stealth`, which is specifically designed to evade bot detection and disguise automated browser behavior. In a skill context, shipping evasion-oriented automation without clear justification, disclosure, or user opt-in increases the risk that the package is being used to bypass platform defenses, anti-abuse controls, or terms-of-service protections.

Missing User Warnings

High

Confidence: 95% confidence
Finding: This script performs a destructive account action by deleting the latest Weibo post as soon as the function is invoked, with no in-code user confirmation, preview, or verification that the selected post is the intended target. Because it relies on stored authentication cookies and broad UI element matching, a mistaken invocation or selector mismatch could silently delete content from the authenticated account.

Missing User Warnings

High

Confidence: 94% confidence
Finding: The function performs irreversible deletion of a social media post based only on a text match and immediately confirms the destructive action programmatically. There is no independent user confirmation, dry-run mode, or strong validation that the matched post is the intended one, so mistakes or abuse can silently delete the wrong content.

Missing User Warnings

High

Confidence: 98% confidence
Finding: After failures, the script transmits debug screenshots externally without a clear user-facing warning, which can leak sensitive page contents from an authenticated browsing session. Because this occurs in an exception path, users may be unaware that private data is being exfiltrated precisely when an operation fails.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script forcibly deletes any existing cookie store before starting a new login flow, which can silently invalidate an existing authenticated session and replace it with a new one. In this skill's context, that behavior affects account state and authentication continuity without explicit consent, making it a real security/privacy concern rather than a purely UX issue.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code writes all browser cookies, including the authentication cookie ('SUB'), to a plaintext JSON file on disk with no notice, access controls, encryption, or minimization. If that file is read by another local process, user, or later exfiltrated by another component, it can enable session hijacking and unauthorized access to the user's Weibo account.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The script hard-codes an absolute path to a user-local image under /Users/runchen/.openclaw/media/inbound and then logs that path, creating unnecessary exposure of local filesystem structure and silently consuming potentially sensitive user content. In shared environments or reused code, this can disclose private data locations and process personal files without explicit consent or runtime validation.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Injecting authentication cookies into a browser session without clear disclosure or confirmation creates a silent credential-use path that can surprise users and facilitate misuse of someone else's authenticated state. This is especially risky here because the script immediately navigates to a live profile after setting cookies, with no warning, audit prompt, or consent gate.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script writes page HTML, structure dumps, and screenshots from an authenticated session to local files, which can capture private account data, identifiers, and session-adjacent content. Persisting this data without minimization or disclosure increases the chance of local data leakage, unauthorized sharing, or later exfiltration.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script saves a full-page screenshot of authenticated Weibo content to a local file without any access controls, consent prompt, or minimization. Screenshots can capture sensitive account data, private content, usernames, recommendations, or session-adjacent information, and the file may persist on disk longer than intended or be exposed through backups, logs, or shared workspaces.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script persists Weibo authentication cookies, including the main auth cookie, to a local JSON file without any disclosure, consent flow, or visible protection of the stored credential material. Anyone with filesystem access, backups, or log/artifact access to that file may be able to reuse the session and impersonate the user.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The script constructs shell commands with untrusted inputs and passes them to execSync, including image paths and the target chat/message payload. Because shell metacharacters inside img, TARGET_CHAT_ID, or msg can break out of quoting, an attacker could achieve command injection and execute arbitrary commands on the host running the skill.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script captures a screenshot of a logged-in browser session and stores it locally without any consent, warning, retention control, or minimization. Screenshots can contain private account data, messages, profile details, or other sensitive content, so writing them to disk creates an avoidable confidentiality risk if the host is shared or compromised.

Missing User Warnings

High

Confidence: 97% confidence
Finding: On login failure, the script uploads a browser screenshot to Feishu, which is an external transmission of potentially sensitive page data. In this skill context, the page is a logged-in social media session, so the screenshot may expose account information, content, or UI state to a third-party messaging channel without explicit authorization or data handling safeguards.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal