Back to skill

Security audit

Typecho Blog Publish

Security checks across malware telemetry and agentic risk

Overview

This skill is mainly a Typecho publishing tool, but it also includes high-impact blog deletion, bulk modification, and immediate-publication paths that are not consistently scoped or warned about.

Install only if you are comfortable giving the skill admin-level control over your Typecho blog. Use a least-privileged or test account if possible, keep BLOG_PASSWORD out of source control, prefer --draft workflows, avoid running cleanup/delete scripts unless you have backups, and review any remote image URL before letting the skill download and upload it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (40)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The README documents broader blog-management actions such as listing stats and deleting posts, while the skill is described as a publishing skill. This scope expansion increases operational risk because a user or downstream agent may invoke destructive or privacy-sensitive actions that were not clearly disclosed in the skill metadata.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The README explicitly advertises delete-post functionality even though the skill is positioned as a publishing tool. Hidden destructive capability is dangerous because an orchestrating agent or user may trust the skill for content creation but unintentionally grant it authority to erase blog content.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill is described as a blog publishing tool, but this script adds bulk cleanup and remote post privatization capabilities that can modify or effectively remove content from the blog. That scope expansion is dangerous because a user or downstream agent expecting only publishing behavior may unknowingly execute destructive authenticated actions against the remote service.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The user-facing safety text says posts are set to draft, but the code actually sets post_status to private and assigns a shared password. This mismatch can mislead operators about recoverability and exposure, causing them to run the tool under false assumptions while the script changes access control in a different way than documented.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script enumerates recent posts and modifies remote blog content in place by calling metaWeblog.editPost, which is broader than a typical 'publish new article' capability. In an agent skill context, this creates an integrity risk because running the script can silently alter existing published content and force publication state changes without an explicit scoped approval for edits.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The script searches multiple locations for a .env file, including a user home workspace path, which broadens its access to credentials beyond the immediate skill directory. In an agent environment, this kind of credential discovery can unintentionally pull secrets from unrelated projects or user scopes, increasing the blast radius if the script is misused or repurposed.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script includes a remote post-deletion capability even though the skill is ներկայացված as an automatic blog publishing tool. This expands the agent's authority from content creation into destructive content management, increasing the chance of misuse or unintended data loss if the command is exposed or invoked accidentally.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code can remotely delete blog posts through XML-RPC using stored credentials, which is not justified by the declared purpose of publishing articles. In an agent skill context, undocumented destructive actions are particularly dangerous because they can be triggered by prompt confusion, abuse, or overbroad tool permissions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The log shows the skill performs image search, image download, temporary file creation, AI content generation, and draft/publication workflows beyond the stated core function of publishing content to Typecho. This scope expansion increases the attack surface substantially: untrusted external content is fetched and processed, and the skill can autonomously create and publish material, which raises risks of SSRF-like outbound requests, unsafe content ingestion, and unintended data handling.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill downloads images from arbitrary third-party URLs during the publishing flow, as shown by requests to external hosts such as GitHub and Pexels. Fetching attacker-controlled URLs can expose the runtime to malicious payloads, internal network probing via crafted URLs, excessive resource consumption, and privacy leakage through outbound requests.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script fetches arbitrary remote image URLs embedded in markdown before publication, which expands the skill from simple blog publishing into outbound network access against attacker-controlled hosts. This can be abused for SSRF-style probing of internal services, unexpected data egress, or forcing the agent environment to contact untrusted endpoints during a publish action.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The environment loader searches parent directories and a workspace-wide .env path, allowing this skill to read credentials and configuration unrelated to Typecho publishing. In an agent workspace, that broad secret discovery behavior exceeds least privilege and increases the chance of accidental credential exposure or misuse if other sensitive variables are present.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The module docstring promises a draft/preview workflow, but the implementation ultimately calls `publish_from_file(..., publish_now=True)` and exposes content publicly immediately. In an automation skill, this mismatch can cause unintended publication of unreviewed or unsafe content, which is a meaningful integrity and operational risk.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The function-level documentation indicates a draft-oriented workflow, but `main()` performs immediate publication without a review gate. This creates a dangerous trust mismatch: users or higher-level agents may believe content is safely staged when it is actually pushed live.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The surrounding skill context advertises draft support, but this code path only publishes immediately. In agentic workflows, capability misrepresentation is security-relevant because orchestration layers may invoke the skill expecting a low-risk draft action and instead trigger irreversible public side effects.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
When the script is run directly, it immediately generates and publishes a test post to the configured remote Typecho blog without any confirmation, dry-run mode, or environment guard. In an agent-skill context, this creates an unexpected external side effect and can cause unauthorized content publication, test-data pollution, or accidental writes to a production site.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script reads credentials and endpoint settings from local .env files, including a workspace-level path outside the script directory. In a skill context, this grants the code access to secrets without any explicit user disclosure or scoping controls, increasing the risk of unintended credential use if the skill is run in a broader agent environment.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script deletes the original draft before completing the republish flow, then creates a new published post. This is destructive behavior beyond simple publishing, and if anything fails after deletion, content or metadata may be lost; in an agent skill, the lack of confirmation makes accidental irreversible actions more dangerous.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The changelog explicitly adds automatic image search via Unsplash and direct upload/publishing to a Typecho blog, but it does not warn users that prompts, images, and article content may be transmitted to external services. In an agent skill context, missing disclosure is risky because users may unknowingly send sensitive local content or metadata to third-party endpoints and a remote blog server.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide advertises a deletion command for blog posts without any warning, confirmation step, or explanation that it is destructive. In a publishing-oriented skill, users may reasonably expect content creation features and could invoke deletion commands without understanding the risk, leading to irreversible content loss if the command is used accidentally or by a downstream agent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The uninstall section includes `rm -rf typecho-blog-publish` without any safety warning or advice to verify the current path. Recursive deletion commands are dangerous because users or automated agents may execute them in the wrong directory or after path substitution errors, causing unintended local data loss beyond the skill itself.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The documentation includes commands for immediate publishing and deletion without any warning, confirmation guidance, or indication that these actions are public or destructive. In an agent skill context, this increases the chance of accidental irreversible content deletion or unintended public posting, especially if a user or downstream agent follows examples verbatim.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs users to store blog credentials in a .env file but does not warn that these secrets must be protected from source control, logs, and broad filesystem access. Because the credentials are for an administrator blog account and enable publishing and deletion, mishandling them could lead to account compromise and full blog manipulation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The quickstart explicitly states that v2.0 publishes posts directly and makes them immediately publicly visible, but the warning appears after the invocation examples rather than clearly before use. This creates a real risk of accidental disclosure of drafts, sensitive content, or unintended public changes because users may follow the commands before understanding the publication impact.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The release documentation explicitly mentions blog management tools including deletion, yet provides no warning, confirmation requirement, or safety guidance for destructive operations. In an agent skill context, undocumented destructive capabilities can lead users or automations to invoke high-impact actions without understanding the risk, increasing the chance of accidental content loss.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.