Back to skill

Security audit

Ocean Chat

Security checks across malware telemetry and agentic risk

Overview

Ocean Chat is not shown to be malware, but it can turn incoming messages into persistent local Claude or shell execution with weak scoping and disclosure.

Install only if you deliberately want a persistent remote-control channel into a development machine. Avoid enabling `--auto-exec` or arbitrary `--on-message` commands, avoid running it on sensitive repositories or machines with production credentials, review any PM2 autostart configuration, and assume message contents and execution results may be forwarded through OceanBus or WeChat integrations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (36)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The README markets the skill as messaging/contact tooling, but prominently documents using WeChat messages to cause Claude Code on a local computer to automatically execute tasks. That is a materially more dangerous capability than simple P2P chat because it creates a remote-to-local action channel that can be abused for command/task execution, social engineering, or privilege misuse.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The documented `--on-message "cmd"` behavior allows execution of a local command whenever a message is received, substituting attacker-controlled fields such as `{from}`, `{openid}`, and `{content}`. In the context of a networked messaging skill, this is effectively a remote command execution primitive and can lead to arbitrary code execution, data loss, credential theft, or full host compromise if used unsafely.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
`node chat.js listen --on-message "cmd"` is an arbitrary command-execution hook tied to incoming messages, which makes untrusted network input capable of triggering local shell actions. In the context of a chat skill, this is highly dangerous because an attacker can send crafted messages to cause code execution, data exfiltration, or persistence if placeholders are interpolated unsafely.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is presented as a messaging/contact-management tool, but it also implements remote task execution pathways via listen/monitor hooks and auto-exec behavior. This materially expands the attack surface: any party able to send a message can trigger local processing or execution behavior, which is far more dangerous than normal chat functionality.

Description-Behavior Mismatch

Medium
Confidence
74% confidence
Finding
The file adds extra capabilities—yellow-pages publication/discovery and WeChat forwarding—that go beyond the stated core messaging purpose. While not inherently code-execution, these features increase data exposure and discovery surface, especially because message metadata and content may be shared with external services or directories.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
Incoming message content is interpolated into a shell command template and executed with child_process.exec. Escaping only double quotes is insufficient; shell metacharacters, command substitution, and platform-specific parsing can still lead to arbitrary command execution from untrusted remote messages.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
Auto-exec mode takes untrusted incoming message text and feeds it directly to Claude with --dangerously-skip-permissions, then returns the result to the sender. This creates a remote prompt-injection and data-exfiltration channel where a remote contact can coerce local file access, secret disclosure, or code modification under weakened safeguards.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Monitor mode forwards received message content to an external WeChat service, which can leak sensitive chat data, project details, or credentials transmitted over OceanBus. Because forwarding happens automatically, users may unintentionally disclose confidential information to a third party without sender consent.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The document instructs installation of PM2 and creation of a persistent background listener that automatically processes future messages. For a chat/contact/meeting skill, establishing long-lived autonomous execution is unnecessary and materially increases the attack surface by enabling remote tasking and ongoing code execution outside normal user awareness.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill directs the agent to determine the current project directory name and ask another party to read and summarize the project files. That exceeds the declared purpose of messaging and contact management, and creates an unjustified path for project reconnaissance and external disclosure of potentially sensitive repository contents.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The documentation explicitly instructs users to run an --on-message hook that interpolates untrusted incoming message content into local shell commands and even into Claude Code prompts. This turns a messaging skill into a remote command/agent-execution channel, which is outside the stated manifest scope and can enable prompt injection, unsafe automation, or shell injection depending on implementation.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The opening text markets the skill as a way to dispatch work to Claude Code remotely from WeChat, which reframes a messaging/coordination tool as a remote control plane for code execution. That mismatch increases the chance that users will deploy it with dangerous expectations and without the safeguards appropriate for remote task execution.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
This file adds a WeChat message-push integration that is not reflected in the skill's stated OceanBus-only messaging/contact/meetup/threading purpose. Undisclosed external communications expand the trust boundary, can transmit conversation data off-platform, and make it harder for users or reviewers to understand where sensitive content is sent.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code automatically reads credentials from another application's local plugin account files under the user's home directory and then uses them for outbound API access. This is a cross-application credential harvesting pattern: even if intended for convenience, it bypasses informed consent and can abuse secrets the user provided for a different tool.

Context-Inappropriate Capability

Medium
Confidence
68% confidence
Finding
Accepting WeChat bot credentials via environment variables is not inherently insecure, but in this skill it enables an external platform integration that is not disclosed by the manifest. The danger comes from hidden data egress and unexpected use of privileged tokens rather than from environment variables themselves.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The examples encourage broad natural-language requests like asking the remote Claude Code instance to 'check a bug' without defining strict boundaries on what actions may be taken. In a system already advertised as remotely driving a local coding agent, ambiguous prompts increase the chance of overbroad execution, unintended file/system modifications, or successful prompt-injection/social-engineering attacks.

Missing User Warnings

High
Confidence
96% confidence
Finding
The README advertises that speaking a sentence in WeChat can cause Claude Code on a computer to execute automatically, but it does not clearly warn users that this can trigger system-impacting behavior on a local machine. That omission is dangerous because users may enable the feature without understanding the risks of remote-triggered actions, especially on developer workstations with source code, credentials, and deployment access.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Automatic mining of recent conversations for names and prompting contact creation expands data use beyond the user's immediate request without a clear privacy notice or consent flow. In a messaging/contact skill, conversation content is sensitive, so secondary use for entity extraction can expose private relationships or topics.

Missing User Warnings

High
Confidence
96% confidence
Finding
The code launches Claude with dangerous permission bypass on untrusted remote prompts without an explicit warning or consent gate at the execution point. This is especially risky because the execution path is embedded in a chat listener, so normal messaging can silently become high-privilege agent action.

Missing User Warnings

High
Confidence
97% confidence
Finding
The custom on-message hook executes commands derived from message data without a clear safety warning or enforcement boundary. Users may reasonably assume they are enabling a simple notification hook, while in reality remote messages can influence local command execution.

Missing User Warnings

High
Confidence
97% confidence
Finding
Monitor auto-exec mode repeats the same unsafe pattern: remote message content is run through Claude with dangerous permission bypass and no explicit warning at execution time. This materially increases the chance of prompt injection, unintended file access, and remote-triggered sensitive output.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The protocol directs the agent to read and persist availability hints and blocked times in a local file, including prompting once and saving the answer for future use, without requiring explicit user notice or consent for ongoing storage. This creates a privacy risk because it accumulates sensitive behavioral and scheduling data that could be retained longer than the user expects or accessed by other local processes/accounts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill specifies that sending an accept message automatically writes meeting time data into blocked and entries records, but does not require a user-facing warning that a filesystem write will occur. Automatic persistence of confirmed meetings can expose sensitive routines and relationship metadata, especially in a messaging/scheduling skill where such data is inherently personal.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The task framing is broad and pushes the agent to generate and initiate a multi-step pairing workflow without clear triggering conditions or user-scoped limits. In the context of a messaging skill, vague activation criteria make unintended execution more likely and can funnel users into risky setup steps they did not specifically request.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation tells the agent to auto-process incoming external tasks and report results, but provides no meaningful warning that this creates an externally triggerable execution channel. In a chat skill, that is especially dangerous because users would reasonably expect message handling, not unattended remote task execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
chat.js:904