Breaking News

Security checks across malware telemetry and agentic risk

Overview

This skill matches its news-video purpose, but it uses live account and desktop automation in ways that can send or publish content without enough scoped confirmation.

Install only if you are comfortable letting the skill drive a logged-in Douyin browser session and a live WeChat desktop session. Review the hard-coded WeChat recipient, the fixed screenshot path, and the Douyin synchronization toggle before use, and prefer running it in a dedicated account or isolated environment where accidental sends or cross-posts are low impact.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 3. Cmd+Shift+A 呼出微信截图 print("[3] Cmd+Shift+A") subprocess.run(["osascript", "-e", 'tell app "System Events" to keystroke "a" using {command down, shift down}'], timeout=5) time.sleep(1.5)
Confidence: 94% confidence
Finding: subprocess.run(["osascript", "-e", 'tell app "System Events" to keystroke "a" using {command down, shift down}'], timeout=5)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 4. 鼠标移动：先到中心 → 左移 80px → 点击 offset_x = cx - 80 # 向左偏移 print(f"[4] 鼠标: 中心({cx},{cy}) → 左移({offset_x},{cy}) → 点击") subprocess.run(["cliclick", f"m:{cx},{cy}"], timeout=5) time.sleep(0.3) subprocess.run(["cliclick", f"m:{offset_x},{cy}"], timeout=5) time.sleep(0.3)
Confidence: 93% confidence
Finding: subprocess.run(["cliclick", f"m:{cx},{cy}"], timeout=5)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print(f"[4] 鼠标: 中心({cx},{cy}) → 左移({offset_x},{cy}) → 点击") subprocess.run(["cliclick", f"m:{cx},{cy}"], timeout=5) time.sleep(0.3) subprocess.run(["cliclick", f"m:{offset_x},{cy}"], timeout=5) time.sleep(0.3) subprocess.run(["cliclick", f"c:{offset_x},{cy}"], timeout=5) time.sleep(0.5)
Confidence: 93% confidence
Finding: subprocess.run(["cliclick", f"m:{offset_x},{cy}"], timeout=5)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: time.sleep(0.3) subprocess.run(["cliclick", f"m:{offset_x},{cy}"], timeout=5) time.sleep(0.3) subprocess.run(["cliclick", f"c:{offset_x},{cy}"], timeout=5) time.sleep(0.5) # 5. 回车确认
Confidence: 95% confidence
Finding: subprocess.run(["cliclick", f"c:{offset_x},{cy}"], timeout=5)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 5. 回车确认 print("[5] 回车确认") subprocess.run(["osascript", "-e", 'tell app "System Events" to keystroke return'], timeout=5) time.sleep(1) # 5b. Backspace 删除输入框中自动贴入的截图，防止下次发送时一块带出去
Confidence: 94% confidence
Finding: subprocess.run(["osascript", "-e", 'tell app "System Events" to keystroke return'], timeout=5)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 5b. Backspace 删除输入框中自动贴入的截图，防止下次发送时一块带出去 print("[5b] 删除输入框中的截图") time.sleep(1) subprocess.run(["osascript", "-e", 'tell app "System Events" to key code 51'], timeout=5) time.sleep(0.5) # 6. 保存剪贴板
Confidence: 92% confidence
Finding: subprocess.run(["osascript", "-e", 'tell app "System Events" to key code 51'], timeout=5)

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The code comment says it disables Toutiao/Xigua synchronization, but the condition clicks the switch when it is not checked, which appears to enable cross-posting instead. In this publishing workflow, that can cause unintended distribution of content to additional platforms, creating privacy, compliance, and reputational risk.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script performs end-to-end OS GUI automation against WeChat using forced foreground activation, synthetic keystrokes, mouse movement, clicking, and clipboard capture. In the context of a breaking-news production skill, this broad host control is high risk because it can capture private chat content, manipulate a live user session, and behave unpredictably if the desktop state changes.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill sends content through WeChat and uploads to Douyin without an explicit privacy or system-impact warning at the point of use. This can expose private media, account state, contacts, or message contents to external services and causes real-world side effects on user-controlled platforms without sufficiently informed consent.

Natural-Language Policy Violations

High

Confidence: 88% confidence
Finding: The prompt hard-codes politically sensitive wording rules, such as mandatory terminology for Taiwan and leader titles, without user opt-in or disclosure. This creates a content-manipulation and compliance risk because the generated output may be biased, misleading, or unacceptable in some jurisdictions or for some users.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The screenshot is always written to a fixed absolute path under a user workspace with no confirmation, no uniqueness, and no retention controls. This can overwrite prior captures, leave sensitive chat imagery at a predictable location, and increase exposure if other tools or users on the system can access that workspace.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script automatically selects a WeChat contact, pastes a video, cover image, and title, and then sends them with no confirmation or recipient verification step. In the context of a news-publishing skill, this creates a meaningful risk of accidental exfiltration, misdelivery to the wrong contact, or distribution of unreviewed content if paths, focus, or UI state are not exactly as expected.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal