ClawHub

Baoyu Post To Weibo

Security checks across malware telemetry and agentic risk

Overview

This Weibo-posting skill is mostly purpose-aligned, but it needs Review because it can control an authenticated browser, use OS-level paste automation, and automatically kill browser debugging processes without asking.

Install only if you are comfortable letting the skill automate a real logged-in Chrome session for Weibo. Use a dedicated Chrome profile, review the composed post before publishing, avoid sensitive clipboard contents while it runs, and be aware that its documented troubleshooting path may kill Chrome/Chromium debugging processes automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to automatically kill Chrome/Chromium debugging instances and retry without asking the user. That expands behavior from composing a Weibo post into unilateral process termination on the local machine, which can disrupt unrelated browser sessions, developer workflows, or cause loss of unsaved work.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Terminating local Chrome processes is broader than the stated purpose of posting content to Weibo and affects system state outside the skill's core scope. Even if intended for troubleshooting, such instructions create unnecessary destructive authority and can be abused or mishandled in environments where Chrome is used for other active tasks.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This script performs OS-level UI automation to send real paste keystrokes and, on macOS, can target another application before injecting input. That capability is broader than the stated Weibo-posting scope and could cause clipboard contents to be pasted into whichever window is frontmost, including unrelated apps or sensitive fields, if misused or if focus is wrong.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The macOS AppleScript embeds an arbitrary application name into an activation script and then sends a paste keystroke after bringing that app frontmost. In this skill context, that enables interaction with any local GUI application, not just a browser posting to Weibo, increasing the chance of unintended data disclosure or action in unrelated applications.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This code invokes external commands via `npx -y bun` to execute local scripts for clipboard and paste automation. Although likely intended to support Weibo posting workflows, it expands the skill's capabilities from browser posting into arbitrary local process execution and dependency resolution, which increases attack surface and could be abused if script paths, package resolution, or execution context are compromised.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The function enumerates host processes with `ps aux`, matches command lines containing a profile directory and remote debugging flag, and then terminates the matched PIDs. Even if meant to clean up the skill's own Chrome instance, this grants host process-management capability that exceeds simple Weibo posting and could kill unrelated Chrome processes if matching is too broad or inputs are manipulated.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Automatically killing Chrome CDP instances without an explicit warning or confirmation violates safe-process handling expectations for local automation. Users may not understand that browser processes will be terminated, and this can cause data loss, interrupted sessions, or collateral impact on unrelated automation using remote debugging.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code searches standard Chrome user-data directories, reads DevToolsActivePort files, inspects local processes, and attaches to existing Chrome remote debugging endpoints. In the context of a skill that posts to Weibo via Chrome CDP, this can grant access to an already-authenticated browser context, enabling reuse of cookies, open tabs, and privileged session state without an explicit consent boundary.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function will automatically rename any existing output HTML file to a timestamped backup and then write a new file without any confirmation, safety prompt, or opt-in overwrite policy. In an agent context, this can modify user files as a side effect of rendering, and if the input path or working directory is influenced indirectly, it can overwrite or churn files unexpectedly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The extension encodes the user-provided PlantUML source and constructs a remote PlantUML server URL, which causes diagram contents to be disclosed to an external service. Even if this is intended functionality, PlantUML often contains architecture, identifiers, or internal workflow details, so sending it off-host without an explicit warning/consent boundary creates a real confidentiality risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When inline SVG is enabled, the code fetches SVG content from a remote PlantUML server and injects the returned markup directly into the page via outerHTML. This both discloses diagram content to a third party and creates an additional client-side trust boundary, because remotely supplied SVG is active markup that can contain unsafe content depending on server behavior or compromise.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code automatically fetches arbitrary remote URLs embedded as image paths and writes them to a local temp directory, with no user-facing disclosure, allowlist, or destination validation. In this skill context, that creates an SSRF/privacy risk because posting Markdown to Weibo can trigger outbound requests to attacker-controlled or internal network endpoints, and it also performs local file creation as a side effect the user may not expect.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code dynamically imports executable JavaScript from a remote CDN based on a language name and immediately registers it into highlight.js. If the CDN, network path, or storage bucket is compromised, the application can execute attacker-controlled code in the client context; because this is a Weibo-posting skill that likely handles authenticated browser sessions, compromise could expose session data or perform unauthorized actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal