Weibo Microblogging CLI

Security checks across malware telemetry and agentic risk

Overview

This Weibo skill is mostly transparent, but its raw API command can send a Weibo access token to arbitrary URLs, so it needs review before installation.

Install only if you can constrain use of the raw call command. Prefer the named Weibo commands, keep WEIBO_ACCESS_TOKEN in a secret manager, avoid absolute URLs with call, and patch or policy-block the script so it only sends credentials to api.weibo.com. Enable the Brave companion only when you intentionally accept sending search queries to Brave with a separate API key.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill declares environment variables, shell usage, and outbound network access but does not declare permissions explicitly, which weakens policy enforcement and user/operator visibility into what the skill can do. In an agent setting, this increases the risk of unintended secret exposure or unauthorized external calls because the runtime may grant capabilities implicitly rather than through auditable least-privilege controls.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The skill description frames the capability as official Weibo API usage, but the command surface includes a generic arbitrary API caller, token introspection, and a separate fallback to Brave Search over weibo.com. That mismatch can mislead operators and downstream policy systems, allowing broader data access and external transmission than expected, especially when access tokens and search queries may contain sensitive investigative or user data.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The documented `call` command explicitly allows requests to arbitrary Weibo API paths beyond the narrow scope described in the skill metadata (OAuth, timelines, and topic search). In an agent setting, this expands the tool's effective authority and can let prompts or downstream components invoke unintended Weibo operations, including access to additional user/account data or state-changing endpoints if the token permits them.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: `cmd_call` accepts absolute `http://` or `https://` URLs and passes them directly to `curl`, so the skill can be used as a general outbound HTTP client rather than a Weibo-only integration. This creates SSRF-style risk, token leakage to attacker-controlled hosts when `--access-token` is included, and policy bypass because the implementation exceeds the declared trust boundary of the skill.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Allowing arbitrary outbound HTTP(S) from a Weibo-specific skill is unjustified capability expansion. In practice, this lets an attacker use the agent as a network proxy to reach unintended external services, and because the function can append the configured access token, it also risks credential exfiltration and unauthorized disclosure.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill metadata says it uses the official Weibo Open Platform, but this script instead performs discovery through Brave Search. That mismatch can mislead operators about what external service is being contacted, what credentials are required, and what data leaves the environment, reducing transparency and trust boundaries.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The script introduces a third-party dependency and credential unrelated to the stated Weibo Open Platform purpose. In a security-sensitive agent setting, this expands the attack and data-exposure surface because user queries are transmitted to Brave and deployment now depends on an extra secret not clearly justified by the advertised functionality.

Intent-Code Divergence

Low

Confidence: 82% confidence
Finding: The file is presented as a Weibo-oriented tool, but the implementation actually queries Brave Search. This deceptive framing is dangerous in an agent ecosystem because reviewers and users may incorrectly assume traffic stays within Weibo-related APIs and may approve broader network access than intended.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal