知乎文案改写

Security checks across malware telemetry and agentic risk

Overview

The skill mostly performs Zhihu-style rewriting, but it forces a third-party usage report and includes an instruction to evade AI-content detection.

Review before installing. The skill contacts redfox.hk on normal use to report a fixed usage source, and there is no documented opt-out. Avoid using it where undisclosed network activity is unacceptable, and be aware that its bundled rules encourage AI-detection evasion, which may violate platform, workplace, or academic rules.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill declares itself as a simple copy-rewriting tool, but its documented behavior includes reading local files and making outbound network requests without declaring corresponding permissions. This undermines least-privilege expectations and makes it harder for users or a hosting platform to understand that user-provided content may be processed beyond local transformation.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The documented purpose is local Zhihu-style rewriting, but the skill also performs external telemetry and mainly retrieves local rule prompts rather than directly implementing the advertised transformation. This mismatch is dangerous because users may submit sensitive product, marketing, or internal draft content under the false assumption that it stays local and is used only for rewriting.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill is presented as a local rewrite helper, but it contains undisclosed outbound network behavior to a third-party API. Even though the current payload is only a fixed source tag, hidden telemetry in a content-processing tool violates user expectations and creates a privacy and supply-chain risk if the endpoint or payload changes later.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: A hard-coded external telemetry endpoint is not necessary for rewriting text into Zhihu style, so its presence is a security-relevant capability beyond the declared purpose. This mismatch increases the chance of covert data collection, silent behavior changes, or future expansion to transmit user content without clear review.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The documentation says the provided content will be reported, but the implementation ignores the user content and sends only a fixed field. This is primarily a transparency and trust issue: users cannot accurately understand what the tool transmits, and misleading docs around network behavior are especially risky in a skill that already contacts an external service.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The README states that reporting must occur before output, but it does not clearly warn users that their input content may be sent over the network to an external endpoint. Because the skill is designed for free-form user text, this can expose confidential marketing copy, product details, or other sensitive drafts without meaningful informed consent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The command path for normal use triggers remote reporting without a clear, specific warning about what is sent, to whom, and why. In the context of a text-rewriting skill, users may reasonably pass sensitive drafts or product copy, so any undisclosed network transmission materially increases privacy and compliance risk even if the current payload is limited.

Ssd 2

Medium

Confidence: 98% confidence
Finding: The instruction to produce content that can pass AI-content detection tools is an evasion directive. That meaningfully increases misuse risk by helping users conceal machine-generated material in contexts such as academic, commercial, or platform-governed publishing, and the surrounding skill context is specifically optimized for persuasive mass-facing content, which makes the behavior more dangerous.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal