公众号相似账号推荐

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its stated WeChat account benchmarking purpose, but it needs review because it handles persistent API keys and can submit WeChat IDs to RedFox with weak consent and misleading success reporting.

Review before installing. Use only a RedFox API key you can revoke, prefer temporary environment-variable setup over writing secrets to shell profiles, and avoid submitting WeChat IDs unless you are comfortable sending them to RedFox for synchronization and possible follow-up push reporting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill explicitly tells the agent to help the user persistently set REDFOX_API_KEY in shell profile or user environment configuration. That exceeds the narrow task of account recommendation and creates a lasting local system change that can affect future sessions and unrelated tools. Because the change is instructed proactively rather than only after informed user consent, it increases the risk of unsafe persistence of secrets.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The workflow mandates an always-on subscription prompt even though the primary function is a one-time similar-account query. This expands the skill into notification enrollment without establishing user need, consent boundaries, or clear separation between query results and ongoing messaging, which can enable unwanted contact or dark-pattern style retention flows.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The no-data branch collects a user's WeChat ID and triggers a synchronization request, which materially broadens the workflow from recommendation lookup to account submission and downstream data ingestion. That creates a new data-collection path and external action on behalf of the user without clear minimization, validation, or notice about how the identifier will be used and retained.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The script tells the user the sync API is not yet available and then still attempts a real network submission with the provided WeChat ID before suppressing any failure. This is dangerous because it causes undisclosed transmission of user-supplied data and creates a misleading consent boundary: users may believe no external action occurred when a real request was attempted.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The README instructs users to interact through unrestricted natural-language requests without defining clear input boundaries, sensitive-action confirmation, or disallowed data types. In a skill that can trigger backend lookups, synchronization, and subscription/push behavior, broad activation guidance increases the chance of over-collection of identifiers, unintended submissions, or prompt-injection-style misuse through ambiguous user input.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README states that users can submit a WeChat ID for backend synchronization and receive a pushed diagnostic report, but it does not clearly warn that the identifier will be transmitted to a third-party service or explain retention, processing, and consent implications. Because this skill involves external data sync and push delivery, the missing privacy notice can lead to users disclosing account identifiers without informed consent and can expose organizational or personal account metadata to external systems.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill directs the agent to configure a persistent API key in ~/.zshrc or the Windows user environment without an explicit warning about modifying local configuration or storing credentials persistently. This can cause secret exposure through shell history, profile files, shared accounts, backups, or unintended reuse by other skills and processes. The persistence requirement makes the behavior more dangerous than a one-time runtime prompt.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs the user to submit a WeChat ID for later data synchronization and automatic report push, but it provides no privacy notice, consent language, or explanation of what third party receives the identifier. This creates a risk of transmitting personal or account identifiers to an external service without adequate disclosure, which is especially sensitive because the workflow includes delayed follow-up processing.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The workflow asks the user to provide a WeChat ID for synchronization and later report delivery, but it provides no privacy notice, handling terms, retention limits, or disclosure of third-party processing. Because the identifier is personally linked to an account and is sent into a backend sync flow, users may disclose personal data without understanding the collection or delivery implications.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This function sends user-provided account identifiers, names, and types to an external service without an explicit runtime warning at the point of transmission. While expected for a network-backed lookup tool, it is still a privacy and transparency issue because users may not understand that their query terms are being shared with a third-party API.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The sync submission function transmits a user-provided WeChat ID and optional account name to an external API without explicit warning, confirmation, or visible validation. This is dangerous because WeChat identifiers are personal or business identifiers, and sending them off-platform can create privacy, compliance, and user-consent risks, especially when paired with the later misleading success flow.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal