Weibo CLI

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Weibo lookup skill, with the main caution that an optional login cookie is sensitive and should usually not be provided.

Use the skill without WEIBO_COOKIE when possible. Prefer the local npm install path over global install, review the referenced package before trusting it, and only provide a Weibo cookie if you understand it can represent your logged-in session.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill recommends setting a personal `WEIBO_COOKIE` for higher rate limits but does not warn that a login cookie is a bearer credential tied to the user's account session. In an agent/tooling context, encouraging users to place such secrets into environment variables increases the risk of accidental disclosure through logs, process inspection, shell history, crash reports, or downstream tool access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal