Security audit

移动网大自动挂机Skill

Security checks across malware telemetry and agentic risk

Overview

This Wangda course automation skill has real browser-control and persistence capabilities, and its all-sites stealth extension is broader than the disclosed course-learning purpose.

Review before installing. Use only in an isolated Chrome profile and only with an account you are comfortable automating. Be aware it can receive SMS login codes, control a browser through remote debugging, inject a stealth extension into every site loaded by that browser profile, persist scheduled monitor tasks, dump authenticated page contents locally, and terminate Chrome/session state.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain

Findings (29)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def kill_chrome(): user_data_dir = os.environ.get("_WANGDA_USER_DATA_DIR") print("Closing existing Chrome instance (if any)...") subprocess.run( ["pkill", "-if", f"chrome.*user-data-dir={user_data_dir}"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
Confidence: 87% confidence
Finding: subprocess.run( ["pkill", "-if", f"chrome.*user-data-dir={user_data_dir}"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: ] print(f"Starting Google Chrome (Port: {DEBUG_PORT}) ...") subprocess.run(cmd_args) print("Chrome started.")
Confidence: 74% confidence
Finding: subprocess.run(cmd_args)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: ["schtasks", "/delete", "/tn", task_name, "/f"], capture_output=True, text=True ) # 创建新任务 result = subprocess.run( [ "schtasks", "/create",
Confidence: 87% confidence
Finding: result = subprocess.run( [ "schtasks", "/create", "/tn", task_name, "/tr", cmd, "/sc", "MINU

Tainted flow: 'user_data_dir' from os.environ.get (line 120, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: def kill_chrome(): user_data_dir = os.environ.get("_WANGDA_USER_DATA_DIR") print("Closing existing Chrome instance (if any)...") subprocess.run( ["pkill", "-if", f"chrome.*user-data-dir={user_data_dir}"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
Confidence: 89% confidence
Finding: subprocess.run( ["pkill", "-if", f"chrome.*user-data-dir={user_data_dir}"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, )

Tainted flow: 'cmd_args' from os.environ.get (line 134, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: ] print(f"Starting Google Chrome (Port: {DEBUG_PORT}) ...") subprocess.run(cmd_args) print("Chrome started.")
Confidence: 71% confidence
Finding: subprocess.run(cmd_args)

Tainted flow: 'dump_path' from os.environ.get (line 303, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: os.makedirs(doc_dump_dir, exist_ok=True) dump_path = os.path.join(doc_dump_dir, f"document_tab{tab_idx}.json") with open(dump_path, "w", encoding="utf-8") as f: json.dump(response, f, ensure_ascii=False, indent=2) print(dump_path)
Confidence: 81% confidence
Finding: with open(dump_path, "w", encoding="utf-8") as f:

Tainted flow: 'interval_min' from os.environ.get (line 263, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: ["schtasks", "/delete", "/tn", task_name, "/f"], capture_output=True, text=True ) # 创建新任务 result = subprocess.run( [ "schtasks", "/create",
Confidence: 91% confidence
Finding: result = subprocess.run( [ "schtasks", "/create", "/tn", task_name, "/tr", cmd, "/sc", "MINU

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill instructs the agent to invoke Python tool scripts that can read/write session state, access the network, and drive login/study flows, yet it declares no permissions or trust boundaries. This creates a capability mismatch: the skill can perform sensitive actions such as account login, session reset, course manipulation, and automated browsing without explicit user-visible permission gating or least-privilege constraints.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The navi function accepts arbitrary URLs and sends Chrome to them, despite the skill description limiting use to wangda.chinamobile.com course workflows. In a skill with access to an authenticated browser profile, arbitrary navigation can be abused for phishing, session abuse, or interacting with unrelated sites using the user's browser context.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The start flow can open Chrome on any caller-provided initial URL rather than only the declared Wangda domains. This broadens the skill from a site-specific learning helper into a general browser launcher, increasing the risk of abuse against authenticated sessions and violating least functionality.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The file exposes general-purpose Chrome DevTools control, including DOM extraction, arbitrary script evaluation, and input event dispatch, which is much broader than the advertised course-learning purpose. In the context of an authenticated browser session, these capabilities enable invasive page inspection and manipulation across sites if combined with the unrestricted navigation behavior.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The module implements `get_employee_name()`, which navigates to a profile page and extracts a logged-in employee's name from the DOM. That is a data-access capability outside the stated scope of course learning/progress operations, increasing privacy exposure and creating a mismatch between declared behavior and actual behavior.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The code reads DOM content from the personal-center page and heuristically extracts a likely employee name, which is personal information unrelated to the declared learning-assistant purpose. Even if only a name is collected, unauthorized profile access can violate least-privilege expectations and enable downstream privacy misuse.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The manifest injects a content script into <all_urls> at document_start, in the page's MAIN world, and across all frames, which is far broader than the stated purpose of assisting with wangda.chinamobile.com course activity. This creates capability to alter or inspect arbitrary websites before page code runs, a strong indicator of stealthy cross-site behavior unrelated to the declared function.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The extension is explicitly described as 'Stealth Anti-DevTools' and 'Bypass anti-devtools detection on web pages,' which is an evasion feature rather than a legitimate course-learning capability. Evasion tooling is dangerous because it helps conceal page manipulation or automation from site defenses and can facilitate unauthorized interaction, fraud, or abuse across targeted sites.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: This script is explicitly designed to evade anti-automation and anti-debugging controls by falsifying browser fingerprints, suppressing debugger behavior, tampering with timing APIs, and filtering suspicious callbacks. That behavior is not necessary for a study-assistance skill and materially increases the ability to automate a site covertly while resisting inspection or defensive controls.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file goes well beyond assisting course operations: it subverts page JavaScript behavior, interferes with debugging, alters navigation, and blocks content-clearing primitives. In the context of a Wangda learning helper, these capabilities indicate covert control over the page and reduced detectability rather than normal user assistance.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The implementation does more than anti-detection: it blocks about: navigation, intercepts location mutations, prevents document.open/write clearing, and stops empty innerHTML on body/html. These changes can break legitimate site behavior and conceal page state transitions, which is especially risky when injected at document_start into a live service domain.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The skill creates and deletes OS-level cron/schtasks entries, establishing persistence beyond ordinary course-navigation functionality. In an agent skill context, persistence is especially dangerous because it continues executing outside the immediate user interaction loop and can survive long enough to monitor, modify state, or trigger unwanted browser automation repeatedly.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The `clear` operation forcefully kills Chrome and removes session state, which exceeds the narrow scope of managing a single learning workflow. In a user environment, indiscriminately terminating Chrome can disrupt unrelated browsing sessions, lose unsaved work, and affect other security-sensitive activities open in the browser.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation rule is broad enough to trigger on generic requests about studying courses or any provided wangda.chinamobile.com URL, which can cause the skill to take over conversations unexpectedly. In a skill that can launch automated study actions, inspect session state, and modify learning progress, overbroad routing increases the chance of unintended execution and unauthorized side effects.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation explicitly defines commands to submit a phone number and SMS verification code, which are sensitive personal and authentication factors, but provides no warning about secure handling, masking, logging restrictions, or user-consent expectations. In an agent skill context, this increases the risk that secrets are exposed in chat history, terminal logs, process arguments, or telemetry, enabling account takeover if captured.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The dump_page feature silently writes the full page DOM to disk without explicit notice or confirmation. In this skill context, pages may contain personal learning data or authenticated content, so persisting them locally creates avoidable privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: `check_all_checkboxes()` programmatically clicks every checkbox on the page and forces `checked=true`, without verifying meaning or obtaining user confirmation. This can silently accept terms, privacy consents, marketing options, or other authorizations the user did not intend, which is especially risky on login and profile flows.

Vague Triggers

Medium

Confidence: 97% confidence
Finding: Using "<all_urls>" causes the extension to activate on every site, which is unnecessary and risky for a skill meant to operate on a single training platform domain. Even if no malicious payload is shown here, universal activation expands attack surface, enables unintended data exposure or page interference, and makes later abuse far easier.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal