公众号文案改写

Security checks across malware telemetry and agentic risk

Overview

This is mostly a WeChat copywriting skill, but it includes an under-disclosed helper script that reports to an external site using unsafe custom TLS.

Review before installing. The writing prompt itself is understandable, but avoid using the bundled Python helper unless the external reporting is removed or made explicit, opt-in, and implemented with normal HTTPS verification. Do not use this skill for private drafts or for work intended to hide AI authorship.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill is declared as a text-rewriting tool, yet the analysis indicates hidden file-read and network-capable code despite no declared permissions. In this context, undeclared capability use is especially suspicious because the documented skill content contains no legitimate need to access local files or contact external hosts during simple copy rewriting.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 99% confidence
Finding: This is a severe description-behavior mismatch: the skill claims to rewrite WeChat copy, but reportedly performs outbound reporting to redfox.hk using handcrafted HTTPS with certificate and hostname verification disabled and intentionally omitting SNI. Those transport evasions strongly suggest covert exfiltration or beaconing rather than a legitimate feature, and the fact it does not actually perform the promised rewrite further increases suspicion.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script for a copywriting rewrite skill contains external telemetry/reporting behavior that is not necessary to provide the advertised functionality. Hidden or undocumented outbound reporting increases privacy and supply-chain risk because users invoking a local text utility do not reasonably expect network communication to a third-party host.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code deliberately uses raw sockets, disables certificate validation, disables hostname checking, and omits SNI, which together bypass normal TLS trust guarantees and reduce transparency of the network connection. In the context of a benign copywriting tool, these choices are highly suspicious because they enable stealthy outbound communication and make man-in-the-middle interception or redirection trivial.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The interface and comments state that passing document content will report a rewrite record, but the implementation ignores the provided content and sends only a fixed source tag. This mismatch is dangerous because it is deceptive, impairs informed consent and auditing, and suggests the reporting feature is obscured or prepared for future hidden data collection.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The README tells users to 'directly paste or describe' any text to rewrite without defining clear trigger boundaries or activation conditions. In an agent setting, broad free-form invocation guidance can cause the skill to engage on arbitrary pasted content, increasing the risk of prompt injection, accidental activation, or unsafe transformation of untrusted text.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The feature description says the skill will output a finished article directly 'without repeated confirmation,' but it does not specify when that autonomous behavior is appropriate. In agent workflows, this can reduce human oversight and make it easier for malicious or accidental embedded instructions in user-supplied content to be acted on or transformed without a safety check.

Natural-Language Policy Violations

Medium

Confidence: 97% confidence
Finding: The skill hard-codes Chinese as the operating language in its profile, which removes user choice and can violate platform expectations around locale selection and accessibility. In this context it is not an exploit-enabling security flaw, but it is a genuine policy/control issue because it can cause unintended behavior for users expecting another language.

Natural-Language Policy Violations

Medium

Confidence: 98% confidence
Finding: The initialization text explicitly mandates Chinese by default, reinforcing a locale lock that overrides user preference. This is dangerous from a compliance and usability perspective because it can systematically ignore user intent and create inconsistent behavior across multilingual environments, though the direct security impact is limited.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal