Security audit

Baoyu Post To Weibo

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Weibo-posting purpose, but it needs review because it uses persistent browser sessions plus broad clipboard, keystroke, and Chrome-process control.

Install only if you are comfortable with a skill opening Chrome with a persistent Weibo login, staging selected text and files in Weibo, using the system clipboard, and sending real paste keystrokes. Use a dedicated Chrome profile when possible, keep focus on the intended browser window during article composition, and review everything carefully before clicking publish.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: This helper can activate an arbitrary named application on macOS and then send a real OS-level paste keystroke, and on Linux/Windows it injects paste keystrokes into whatever window is focused. That exceeds a narrowly scoped Weibo-posting function and creates a confused-deputy risk: if focus is stolen or the app name is user-controlled, clipboard contents could be pasted into the wrong application or sensitive action field. In the context of a social-posting skill, using broad desktop input injection is more dangerous because it operates outside the browser/session boundary and is not constrained to Weibo.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger phrases are broad enough to match common conversational requests like 'share on Weibo' or '写微博', which increases the chance the skill is invoked when the user did not intend this exact automation path. Because the skill can launch a browser session and prepare social media posts, accidental invocation could cause unintended external posting workflows or disclosure of local content selected for upload.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: `killChromeByProfile` enumerates all processes and terminates any whose command line contains the provided `profileDir` and a remote-debugging flag. This substring-based matching can kill the wrong local Chrome process if the profile path is ambiguous or attacker-influenced, causing denial of service and potential loss of unsaved browser state; in a browser automation skill, that risk is more relevant because it operates on shared local browser profiles.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal