Security audit

A股公众号大V

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate A-share WeChat ranking and subscription helper, with disclosed RedFox API use and local cache/subscription files.

Install only if you are comfortable giving the skill a RedFox API key and sending requested account/date or subscription queries to redfox.hk. Review or empty subscriptions.json if you do not want the bundled sample subscriptions, and use clear/remove actions carefully because they change local subscription state.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (19)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documents use of environment variables, network access, local cache files, and persistent subscription storage, but the manifest does not declare these capabilities. Hidden or undeclared capabilities reduce transparency and prevent users or hosting systems from making informed trust decisions, especially because the skill performs file writes and external API calls. In this context the issue is more dangerous because the skill persists data locally and accesses secrets via environment variables.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The published description says the skill only retrieves a date-based A股公众号 ranking, but the documentation shows materially broader behavior: persistent subscription management, cache read/write, and additional account lookup flows. This mismatch can mislead users into authorizing a skill for a narrow read-only purpose when it actually performs stateful local writes and expanded data operations. The context increases risk because the extra behaviors are not incidental formatting steps; they change the persistence and data-handling model of the skill.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The manifest description presents the skill as a simple fetcher for rankings and article data, but the documentation also includes persistent subscription management and cached result storage. This is a security-relevant disclosure gap because users may not realize the skill modifies local state or retains data between runs. In this skill's context, silent persistence is more sensitive than a pure read-only query tool.

Description-Behavior Mismatch

Low

Confidence: 92% confidence
Finding: The manifest description presents the skill as a simple fetcher for rankings and article data, but the documentation also includes persistent subscription management and cached result storage. This is a security-relevant disclosure gap because users may not realize the skill modifies local state or retains data between runs. In this skill's context, silent persistence is more sensitive than a pure read-only query tool.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script persists subscription state to a local `subscriptions.json` file, which goes beyond the stated skill scope of retrieving A-share public account rankings and article data. While not overtly malicious, this creates undeclared local state and modifies files in the skill directory, which can surprise users, affect privacy, and expand the attack surface if the host expected read-only/query-only behavior.

Description-Behavior Mismatch

Medium

Confidence: 85% confidence
Finding: The temporary `--accounts` lookup mode allows arbitrary accountId queries, which is broader than the documented date-based top-30 ranking use case. This is mainly a scope-expansion issue rather than a code-execution flaw, but it can enable access patterns or behaviors users and reviewers would not expect from the declared skill.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script persists subscription state to a local file and loads auxiliary cached data, which extends the skill beyond the manifest’s described read-only ranking retrieval behavior. This hidden statefulness creates an integrity and user-consent risk: an agent or caller could modify durable preferences without that capability being clearly disclosed or expected from the skill description.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The add/remove/clear actions allow direct mutation of persistent subscription data, but these capabilities are not reflected in the published skill description. In an agent setting, undisclosed write operations are dangerous because users may invoke what appears to be a data-retrieval tool while the skill silently changes stored state or deletes prior subscriptions.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: The dataset includes many accounts clearly outside the skill’s declared scope of 'A股领域公众号大V账号30个', such as banks, brands, tourism, gaming, and education accounts. This creates an integrity problem: users may receive irrelevant or misleading results, and downstream agents could act on polluted data as if it were curated financial-scope output.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The file returns substantially more than the promised 30 accounts, which violates the skill contract and can mislead consumers that depend on bounded output size. This is primarily a data-quality and reliability issue, but it can also increase attack surface for ranking manipulation or prompt/context pollution in agent workflows.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The README states users can invoke the skill by 'simply' describing their needs in natural language, which creates overly broad trigger boundaries. In an agent ecosystem, this can cause accidental or inappropriate invocation from loosely related user messages, leading to unnecessary external API calls, unintended subscription actions, or disclosure of ranked account data when the user did not explicitly intend to use this skill.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The README tells users to invoke the skill with broad natural-language phrases such as references to A股公众号 or 股市大V, but it does not define clear activation boundaries or disambiguation rules. This can cause the agent to trigger in contexts where the user did not intend to use this skill, leading to unintended external API calls, disclosure of subscription-related data, or confusing cross-tool behavior.

Vague Triggers

Medium

Confidence: 75% confidence
Finding: Broad trigger phrases like '看看A股大V' or '查查今天的' can cause the skill to activate on ambiguous user requests without clear consent to perform network calls or stateful follow-on actions. Over-broad invocation is risky in an agent environment because it may fetch external data or prime later subscription workflows when the user intended only general discussion. The danger is moderate here because the skill has side effects beyond simple retrieval, including cache and subscription features.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs writing to subscriptions.json and cache/last_dual_result.json but does not clearly warn users that local files will be created or modified. Undisclosed local persistence is dangerous because it can leave residual data, affect future runs, and surprise users who expected a stateless lookup tool. In this context the risk is amplified by ongoing subscription behavior that changes what later queries retrieve.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The guide instructs authenticated requests to an external third-party endpoint using an API key but does not warn that user-supplied query data and account lists will be transmitted off-platform. In a skill context, this can create an undisclosed data-sharing path, which is especially risky if user inputs contain sensitive market research, watchlists, or proprietary interests.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The clear operation irreversibly empties a category in the subscription file immediately after argument parsing, with no confirmation, dry-run, or recovery mechanism. In an agent-mediated workflow, a mistaken prompt interpretation or malicious instruction injection could therefore wipe stored subscriptions in one step, causing integrity loss and user disruption.

Env Variable Harvesting

High

Category: Data Exfiltration
Content: """Get API key: CLI arg > env var > config file.""" if cli_key: return cli_key env_key = os.environ.get(ENV_KEY) if env_key: return env_key if CONFIG_FILE.exists():
Confidence: 70% confidence
Finding: os.environ.get(ENV_KEY

Env Variable Harvesting

High

Category: Data Exfiltration
Content: def get_api_key(cli_key=None): if cli_key: return cli_key env_key = os.environ.get(ENV_KEY) if env_key: return env_key if CONFIG_FILE.exists():
Confidence: 70% confidence
Finding: os.environ.get(ENV_KEY

Env Variable Harvesting

High

Category: Data Exfiltration
Content: # ─── API Key 管理 ────────────────────────────────────────────────────────────────── def get_api_key(): """Get API key: env var > config file.""" env_key = os.environ.get(ENV_KEY) if env_key: return env_key if CONFIG_FILE.exists():
Confidence: 70% confidence
Finding: os.environ.get(ENV_KEY

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal