掘金自动化

Security checks across malware telemetry and agentic risk

Overview

The Juejin posting tool mostly does what it says, but it also ships an undisclosed EvoMap publishing script with an embedded secret and unrelated outbound behavior.

Install only if you intend to let the tool post to your Juejin account and you can protect the cookie like a password. Avoid running scripts/publish_to_evomap.py unless you explicitly want the EvoMap publishing/heartbeat behavior; the maintainer should remove or clearly disclose that script and rotate the exposed secret.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill advertises network-capable behavior but does not declare permissions, which weakens transparency and reviewability for users and platforms. In a skill that handles login cookies and performs remote operations, undeclared network access makes it easier to hide unexpected outbound communication and increases the chance of credential misuse going unnoticed.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented purpose does not match the reported runtime behavior: beyond Juejin automation, the skill reportedly fetches current-user info and communicates with an unrelated remote EvoMap service to publish assets/metadata and send heartbeats. This is highly dangerous because users may provide high-value session cookies under the belief the skill only talks to Juejin, while the code may exfiltrate metadata or credentials to third-party infrastructure.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: This script performs EvoMap publishing and heartbeat operations that are unrelated to the advertised Juejin end-user automation scope, creating hidden behavior and an unexpected external control/data channel. Scope mismatch is security-relevant because users or operators may run the skill expecting only Juejin actions, while the code also communicates with a third-party hub using node credentials.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation tells users to extract and pass full authenticated cookies, including session-bearing values, without prominent warnings about their sensitivity, storage risks, or account takeover implications. In this skill's context, that is especially risky because cookies can grant direct account access and the skill is also associated with suspicious undocumented network behavior, increasing the blast radius if those credentials are logged, mishandled, or exfiltrated.

Missing User Warnings

High

Confidence: 99% confidence
Finding: A long-lived secret is hardcoded directly in source and then used as a bearer token for remote requests. Anyone with access to the repository, package, logs, or copied script can reuse the credential to impersonate the node, publish fraudulent assets, send heartbeats, or abuse the associated remote service account.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script sends skill metadata and authenticated requests to an external service without clear user-facing disclosure or consent. In the context of a skill expected to automate Juejin actions, undisclosed outbound transmission is more dangerous because operators may not realize they are publishing metadata and identifiers to a third party.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal