Back to skill

Security audit

odd-articles

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its content-production purpose, but it needs Review because it combines automatic publishing, stored credentials, background-style material capture, unsafe credential handling, and AI-detection evasion guidance.

Review this skill carefully before installing. Use preview or dry-run modes first, do not provide real publishing credentials until you understand the flows, rotate the hardcoded/exposed API key if it is yours, avoid using it on sensitive conversations because it auto-records material, and remove or change the TLS bypass and anti-detection writing guidance before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (35)

Tainted flow: 'data' from requests.get (line 51, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
data = result.json()

        if data["task_status"] == "SUCCEED":
            image = Image.open(BytesIO(requests.get(data["output_images"][0]).content))
            image.save(output_file)
            print(f"图片已保存到: {output_file}")
            break
Confidence
94% confidence
Finding
image = Image.open(BytesIO(requests.get(data["output_images"][0]).content))

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly instructs the agent to read environment variables, read and write files, and access the network, yet no explicit permission declaration is provided. This creates a capability-transparency gap: users and policy layers may not realize the skill can persist content, fetch remote data, and publish externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior understates the skill’s real reach: it can scrape WeChat articles, archive files, use external APIs, call official WeChat APIs, and distribute to additional platforms. When a skill does more than its description suggests, users cannot give informed consent, and hidden publishing or data-transfer paths become much riskier.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The spec explicitly requires inserting `BRAND_LOGO_DARK` / `BRAND_LOGO_LIGHT` content into HTML verbatim. Because these values are environment-controlled and SVG can contain active content or unexpected markup, this creates a direct HTML/script injection path in the generated page, which is then opened in a browser and processed by `html2canvas` and other libraries.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The document explicitly instructs the agent to evade AI-detection systems by manipulating statistical, stylistic, and semantic signals so generated text appears human-authored. This goes beyond ordinary writing guidance and creates a deception workflow intended to defeat downstream trust and provenance controls, which is unsafe in a content-production and distribution pipeline.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script unconditionally executes a shell command to kill any Chrome process matching "remote-debugging-port" between platform runs. This is broader than the stated distribution task and can terminate unrelated user or automation browser sessions on the host, creating a denial-of-service condition and unsafe cross-process interference. In a content-distribution skill that automates browsers via CDP, process management is expected, but the global kill pattern makes the behavior more dangerous because it affects system-wide Chrome instances rather than only those launched by this tool.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The client globally disables TLS certificate verification for WeChat API calls via `rejectUnauthorized: false`, which permits man-in-the-middle interception and modification of API traffic. Because this code handles app credentials, access tokens, article content, and uploaded media, a network attacker could steal secrets or tamper with published content.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
A hardcoded ModelScope API key is embedded directly in the script, making credential leakage very likely through source control, logs, packaging, or redistribution of the skill. Anyone who obtains the file can reuse the key to make API calls, consume quota, incur cost, or access associated account capabilities.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README advertises one-click multi-platform distribution and credential-backed publishing but does not warn users that invoking these features can transmit data to external services and create irreversible side effects such as posting content. In an agent skill context, unclear disclosure increases the risk of accidental publication, unintended data sharing, and operator surprise.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation enumerates sensitive secrets including platform app secrets and API tokens and instructs users to place them in a local .env file without any guidance on secure storage, least privilege, or rotation. In practice this can lead to credential leakage through filesystem exposure, backups, logs, or accidental commits of copied configuration.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase '出稿' is broad enough to appear in ordinary conversation, but in this skill it initiates a multi-step content generation pipeline with file writes and downstream publishing preparation. Ambiguous activation increases the risk of unintended execution of sensitive actions.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The reading triggers are phrased like ordinary conversational requests and can easily collide with normal assistant usage. In this skill, such triggers lead to article fetching and analysis, which may cause unintended network access and processing of third-party content.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Formatting and image-generation triggers use generic phrases such as '排版' and '做配图', which are common in routine chat. Because these commands can generate files and invoke tools, accidental matching may produce unwanted filesystem changes or downstream publishing artifacts.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Distribution and archive triggers like '一键发布', '存档', and '归档' are highly generic despite mapping to external posting and file-moving behavior. Ambiguous intent matching is especially dangerous here because the actions have irreversible external or filesystem effects.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs the agent to automatically identify and persist 'useful moments' from conversation by default, without an upfront consent prompt or clear privacy notice. This can capture sensitive user content unexpectedly and store it on disk for later reuse or publication.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill is framed around one-click generation and multi-platform distribution, including automated publication, but does not present a prominent warning that content may be posted to external services. This increases the chance of unintended publication, credential use, and reputational harm.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The archive feature moves historical documents between directories but does not foreground that this changes the local filesystem and may affect discoverability or downstream tooling. Silent file moves can surprise users and potentially cause loss of expected file locations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document instructs users to move files from OUTPUT_DIR to ARCHIVE_DIR, which is a destructive filesystem action, but it does not present a prominent up-front warning that source files will be removed from the original location. In an agent skill context, this increases the chance of accidental invocation causing unexpected data movement or workflow disruption, especially because the skill is designed for one-command content operations.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list includes broad natural-language activators such as “存档” and “归档”, which are common words that may appear in ordinary conversation and can unintentionally invoke the archival action. Because the action moves files, accidental triggering could cause unplanned data relocation, skipped files on conflicts, or downstream automation errors.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instruction to insert environment-supplied SVG content without any trust boundary warning is dangerous because SVG is not passive data in all contexts. In this skill, the content is embedded into generated HTML, making the lack of sanitization and trust validation materially exploitable rather than merely undocumented.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to publish a local Markdown file using a PAT but does not clearly warn that the command sends local content over the network and can create a real public post unless preview mode is used. In a content-publishing skill, that omission can cause accidental disclosure of unpublished or sensitive material and unintended external actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document recommends storing CNBLOGS_TOKEN in local/.env but does not warn that this is a sensitive credential that must not be committed, shared, or exposed in logs/shell history. In a skill intended to automate publishing, this increases the chance of credential leakage and account misuse if the token is mishandled.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The template starts browser speech recognition from the toolbar and continuously restarts it, but the UI text does not clearly disclose that microphone audio will be captured and processed for transcription. In a content-production skill that encourages recording and publishing workflows, this creates a real privacy risk because users may enable subtitles without understanding the audio collection and browser/vendor processing involved.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The instruction to overwrite edits into the same file without warning or confirmation can cause silent modification or loss of user-authored content. In an automated pipeline, this weakens user control and auditability, especially when the system may revise source material destructively.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code performs a real publish action when preview is false by locating and clicking the Douyin publish button without any explicit confirmation step in this file. In a content-distribution skill whose purpose is one-click multi-platform posting, that behavior increases the chance of unintended public publication if the manifest is wrong, the operator misunderstands the mode, or the browser session is hijacked/misdirected.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal (+2 more)

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/distribute/cdp-utils.ts:285

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/distribute/distribute.ts:130

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/distribute/platforms/wechat.ts:56

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/distribute/wechat-api.ts:188

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/distribute/cdp-utils.ts:50

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/distribute/wechat-api.ts:27

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/generate_img.py:20

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/distribute/wechat-api.ts:18

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
scripts/distribute/wechat-api.ts:98