企微智能表格

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built for WeCom automation, but it can write business records, post group messages, store local tracking data, and create scheduled reminders with overly broad activation and limited user-control guidance.

Install only if you want an agent to actively write to WeCom smart sheets, send WeCom group messages, keep a local deadline tracker, and create reminders. Use least-privilege webhook and bot keys, confirm each live write or notification destination before execution, avoid storing unnecessary financial or personnel details in the tracker, and periodically review or delete scheduled reminders and local tracker records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill performs network requests, local file writes, and file reads, yet declares no permissions or user-facing consent boundaries. This creates an authorization gap where an agent may transmit enterprise data to external webhooks and persist it locally without explicit approval, increasing the risk of unintended data exposure and unsafe execution.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script persists business payloads, deadlines, responsible persons, and related metadata to a local JSON tracker file even though the skill description only frames the behavior as WeCom table insert/query/notify actions. This creates undisclosed local data retention of potentially sensitive operational and financial information, increasing exposure through filesystem access, backups, or accidental reuse.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: A function is first documented as pushing data without tracking, but later the same function name is redefined to enable local tracking by default. This mismatch is dangerous because callers and reviewers may believe data is only transmitted to WeCom when it is also being silently persisted locally, undermining informed consent and security review.

Vague Triggers

High

Confidence: 95% confidence
Finding: The trigger condition '任何涉及在企微智能表格中新增/查询/提醒/通知的操作，均触发此技能' is extremely broad and can activate on many routine enterprise requests. In this skill, activation is dangerous because it leads to outbound webhook calls, local tracking writes, and scheduled reminders, so accidental invocation could cause unauthorized data entry, disclosure, or message spam.

Vague Triggers

High

Confidence: 94% confidence
Finding: The trigger phrase list includes generic terms such as '添加任务', '报销', '工作流', and '巡检', which overlap with common business conversation. Because this skill is wired to perform operational side effects after activation, overly generic triggers materially increase the chance of unintended execution against enterprise systems.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs writing business records and deadlines into a local JSON tracker without warning users that their data will persist on disk. This is risky because task, expense, and personnel metadata may remain locally stored beyond user expectations, creating privacy, retention, and unauthorized access concerns on the host system.

External Transmission

Medium

Category: Data Exfiltration
Content: | 步骤 | 操作 | 执行方式 | 说明 | |---|---|---|---| | **① 写入表格** | 构造 payload，POST 到表格 Webhook | `curl -s -X POST "https://qyapi.weixin.qq.com/cgi-bin/wedoc/smartsheet/webhook?key={key}" -H "Content-Type: application/json" -d '{payload}'` | payload 中 `add_records[0].values` 的 key 是字段 ID，value 按字段类型传值 | | **② 群通知** | 发送 Markdown 消息到对应群机器人 | `curl -s -X POST "https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key={bot_key}" -H "Content-Type: application/json" -d '{markdown_payload}'` | 必须发到该表格对应的群，不能发错 | | **③ 本地追踪** | 同步写入 `wecom_deadline_tracker.json` | 调用 Python 脚本 `track_record()` 或手动追加 JSON | 记录到期信息，供每日巡检脚本读取 | | **④ 设置提醒** | 创建一次性定时提醒，到期前发到对应群 | WorkBuddy `automation_update` 工具，`scheduleType="once"`，prompt 中用 curl 调群机器人 | 提醒消息发到对应群 |
Confidence: 92% confidence
Finding: curl -s -X POST "https://qyapi.weixin.qq.com/cgi-bin/wedoc/smartsheet/webhook?key={key}" -H "Content-Type: application/json" -d

External Transmission

Medium

Category: Data Exfiltration
Content: | 步骤 | 操作 | 执行方式 | 说明 | |---|---|---|---| | **① 写入表格** | 构造 payload，POST 到表格 Webhook | `curl -s -X POST "https://qyapi.weixin.qq.com/cgi-bin/wedoc/smartsheet/webhook?key={key}" -H "Content-Type: application/json" -d '{payload}'` | payload 中 `add_records[0].values` 的 key 是字段 ID，value 按字段类型传值 | | **② 群通知** | 发送 Markdown 消息到对应群机器人 | `curl -s -X POST "https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key={bot_key}" -H "Content-Type: application/json" -d '{markdown_payload}'` | 必须发到该表格对应的群，不能发错 | | **③ 本地追踪** | 同步写入 `wecom_deadline_tracker.json` | 调用 Python 脚本 `track_record()` 或手动追加 JSON | 记录到期信息，供每日巡检脚本读取 | | **④ 设置提醒** | 创建一次性定时提醒，到期前发到对应群 | WorkBuddy `automation_update` 工具，`scheduleType="once"`，prompt 中用 curl 调群机器人 | 提醒消息发到对应群 |
Confidence: 92% confidence
Finding: curl -s -X POST "https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key={bot_key}" -H "Content-Type: application/json" -d

External Transmission

Medium

Category: Data Exfiltration
Content: } ``` **curl 完整示例（工作任务系统）：** ```bash curl -s -X POST "https://qyapi.weixin.qq.com/cgi-bin/wedoc/smartsheet/webhook?key={TASK_WEBHOOK_KEY}" \ -H "Content-Type: application/json" \
Confidence: 91% confidence
Finding: curl 完整示例（工作任务系统）：** ```bash curl -s -X POST "https://qyapi.weixin.qq.com/cgi-bin/wedoc/smartsheet/webhook?key={TASK_WEBHOOK_KEY}" \ -H "Content-Type: application/json" \ -d '{ "add_records":

External Transmission

Medium

Category: Data Exfiltration
Content: - `scheduleType`: `"once"` - `scheduledAt`: ISO 8601 格式，如 `"2026-04-28T09:00"` - `status`: `"ACTIVE"` - `prompt`: 包含 curl 命令，直接调群机器人发送提醒 **prompt 模板：** ```
Confidence: 95% confidence
Finding: curl 命令，直接调群机器人发送提醒 **prompt 模板：** ``` 发送一条提醒消息到工作任务群。执行以下命令： curl -s -X POST "https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key={TASK_BOT_KEY}" -H "Content-Type: application/json" -d

External Transmission

Medium

Category: Data Exfiltration
Content: **② 写入表格：** ```bash curl -s -X POST "https://qyapi.weixin.qq.com/cgi-bin/wedoc/smartsheet/webhook?key={TASK_WEBHOOK_KEY}" \ -H "Content-Type: application/json" \ -d '{ "add_records": [{
Confidence: 91% confidence
Finding: curl -s -X POST "https://qyapi.weixin.qq.com/cgi-bin/wedoc/smartsheet/webhook?key={TASK_WEBHOOK_KEY}" \ -H "Content-Type: application/json" \ -d '{ "add_records": [{ "values": {

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal