Coze-Power

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Coze-to-local bridge, but it exposes local file writes, clipboard access, and shell commands over a public tunnel with weak defaults and unsafe command handling.

Install only if you intentionally want a cloud Coze bot to reach your machine. Before running it, change the API key, avoid public exposure unless necessary, narrow allowed_paths and allowed_commands to the minimum, run it in a container or VM, and do not allow clipboard reads or file writes around sensitive data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: "error": f"Command '{base}' not allowed. Allowed: {', '.join(CONFIG['allowed_commands'])}", } try: result = subprocess.run( command, shell=True, capture_output=True, text=True, timeout=30 ) return {
Confidence: 99% confidence
Finding: result = subprocess.run( command, shell=True, capture_output=True, text=True, timeout=30 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: capture_output=True, timeout=5 ) elif sys.platform == "darwin": subprocess.run( ["osascript", "-e", f'display notification "{message}" with title "{title}"'], capture_output=True, timeout=5 )
Confidence: 87% confidence
Finding: subprocess.run( ["osascript", "-e", f'display notification "{message}" with title "{title}"'], capture_output=True, timeout=5 )

Missing User Warnings

High

Confidence: 98% confidence
Finding: The quick-start and example prompts encourage exposing a local control server publicly and immediately trying sensitive actions like listing desktop files, while the user-facing warnings are minimal and not placed inline with those instructions. In this context, omission is dangerous because the skill bridges a cloud bot to local machine capabilities, so inadequate warnings materially increase the chance of accidental data exposure or unsafe command execution.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The diagram advertises a cloud bot reaching a localhost service through a public tunnel and accessing shell commands, file operations, clipboard read/write, and system info, but it contains no warning about the security implications. In this skill's context, those are highly sensitive capabilities; omitting disclosure can cause users to expose remote code execution and local data access on their machine without understanding the risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The spec explicitly exposes a write/overwrite file capability on the local machine but provides no warning, confirmation, or indication of sensitive-path restrictions in the manifest. In this skill's context, a cloud bot is being bridged to local machine access, so silent overwrite capability can enable destructive changes to user files, config tampering, or persistence if the exposed server is reachable.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The manifest advertises shell command execution on the local machine with only a vague note that commands are whitelisted, but no warning about arbitrary system impact or strong constraints are described in the API contract. Given the skill's purpose is to bridge a cloud bot to local execution and the server is intended to be exposed via ngrok/Cloudflare, this capability materially increases the risk of remote code execution, data destruction, credential theft, or full host compromise if controls fail or are misconfigured.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Clipboard-read access can expose sensitive transient data such as passwords, MFA codes, API keys, wallet addresses, and private messages, yet the manifest gives no privacy warning or usage constraints. In this skill, the clipboard is part of a local-machine bridge for a cloud bot, making exfiltration risk substantially higher than in a purely local automation context.

Missing User Warnings

Low

Confidence: 91% confidence
Finding: Clipboard-write access can silently replace user clipboard contents, enabling phishing, command substitution, wallet-address replacement, or disruption of ongoing user workflows. Because this skill is designed to let a remote/cloud bot affect the local machine, lack of warning or confirmation materially increases the chance of deceptive or harmful clipboard manipulation.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This API reference exposes highly sensitive local-capability endpoints such as file read/write, shell command execution, clipboard access, and system information collection, but it does not include prominent user-facing warnings about the privacy and integrity risks of enabling them. In the context of a bridge from a cloud bot to a local machine, this omission is dangerous because users may grant access without understanding that a remote agent could exfiltrate local data, alter files, or execute commands on their host.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide instructs users to expose a local server to the internet and then demonstrates prompts that can list desktop files, execute shell commands, and create files, but it does not provide a clear, prominent warning about the risk of remote access to local data and system integrity. In this skill's context, that omission is especially dangerous because the product's core purpose is bridging a cloud bot to sensitive local capabilities, so weak operator awareness can directly lead to data exposure or remote command misuse.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The example explicitly encourages reading clipboard contents but does not warn that the clipboard may contain highly sensitive data such as passwords, tokens, personal messages, or proprietary text. In this skill's context, Coze-Power bridges a cloud bot to local machine capabilities, so clipboard access can expose local secrets to a remote agent workflow and materially increases privacy and data-exfiltration risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal