Security audit

ZSXQ Digest

Security checks across malware telemetry and agentic risk

Overview

This is a coherent private Knowledge Planet digest skill, but it handles live account cookies and includes under-scoped paths that can send those credentials outside the intended ZSXQ service.

Install only if you are comfortable treating this as an account-access tool. Keep `state/` private and out of git, backups, screenshots, and support bundles; delete captured cookie files after setup; do not use probe or custom API-base modes against non-ZSXQ URLs unless the code is changed to enforce a ZSXQ allowlist; and use a dedicated browser/profile where possible for bootstrap.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (14)

Context-Inappropriate Capability

Medium

Confidence: 80% confidence
Finding: This script orchestrates external Python and Node helpers and treats their JSON output as authoritative state transitions for an authentication bootstrap flow. In the context of browser/CDP-driven login handling, that expands the trust boundary significantly: compromised or replaced helper scripts can manipulate auth state, drive browser sessions, or mislead downstream automation without integrity checks or trust validation.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script accepts user-supplied browser WebSocket/CDP endpoints and connects helper scripts to them without validation or authentication checks. Because CDP access can inspect pages, extract session data, and control browser state, allowing arbitrary ws URLs in an auth bootstrap workflow materially increases the risk of session hijacking, cookie theft, or unintended browser automation against a sensitive login session.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document explicitly instructs the agent to capture a visible login QR or prompt from a host-side browser and send it to the user in chat, but it does not define any privacy, replay, or account-sensitivity safeguards. Login QR artifacts and linked prompts are authentication material; exposing them through chat can enable unintended third-party viewing, session hijack attempts, or misuse if the chat channel is logged, shared, or compromised.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The design normalizes writing reusable session tokens and captured cookies to local JSON files without specifying file permission restrictions, encryption, retention limits, or cleanup requirements. Because these artifacts can directly authorize access to the user's Knowledge Planet account, insecure at-rest handling on disk materially increases the risk of account compromise through local malware, multi-user hosts, backups, logs, or accidental disclosure.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The workflow instructs users to save a JSON snapshot derived from a logged-in browser session, but it provides no warning that the captured data may contain sensitive or account-scoped content. This can lead to inadvertent local retention, sharing, or downstream processing of private information, especially because the capture is intended for authenticated pages and later pipeline ingestion.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script explicitly extracts an authentication cookie from a browser capture and persists the raw cookie value to a local JSON token file. Although this appears to support a legitimate bootstrap workflow, storing reusable session credentials on disk without enforced permission restrictions, encryption, or an explicit confirmation/warning materially increases the risk of credential theft from local compromise, backups, logs, or accidental file sharing.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script enumerates visible links, derives surrounding card text, and returns page title, URL, circle/community name, author names, timestamps, engagement counts, and content previews in bulk. That is effectively page scraping of potentially sensitive user-visible content, and the code contains no consent check, scope restriction, or user-facing disclosure before collection and exfiltration to the caller.

Missing User Warnings

High

Confidence: 97% confidence
Finding: This script explicitly connects to a browser DevTools endpoint, retrieves cookies via Network.getCookies, and then prints or writes the full cookie set to disk without any consent prompt, redaction, or safety gating. Browser cookies are highly sensitive authentication material; exposing them can enable session hijacking, account takeover, and unintended persistence of secrets in logs or files.

Missing User Warnings

High

Confidence: 98% confidence
Finding: In probe mode, the script accepts a user-supplied URL and calls fetch_url(), which unconditionally attaches the session cookie from the token file in the Cookie header. Because there is no allowlist or domain validation tying the destination to zsxq.com, a user can be induced to send valid authenticated session credentials to an arbitrary attacker-controlled endpoint, resulting in direct credential exfiltration and possible account/session compromise.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script serializes page-derived data, including page text, URL, title, and a QR iframe URL, and writes it to any caller-supplied path. Because the destination is unrestricted and there is no confirmation or minimization of what is stored, it can persist sensitive authentication-related data to disk where other users, processes, or logs may access it.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script accepts an arbitrary WebSocket URL and uses it to speak the Chrome DevTools Protocol, then evaluates JavaScript in the connected page to extract page contents and trigger UI actions. This effectively enables remote browser inspection and interaction against whatever debugging endpoint is supplied, which can expose sensitive page data and authentication state without any built-in trust validation or user disclosure.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script evaluates JavaScript in a live browser page, extracts page title, URL, visible text, and QR image state, then prints the collected data and can write it to disk. Even though the apparent purpose is operational probing of WeChat QR login state, this still captures potentially sensitive browser content without any built-in disclosure, minimization, or consent guardrails, which creates a privacy and data-handling risk if used against real user sessions or shared environments.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The finalize workflow captures browser cookies, converts them into a token, and writes both cookies and token artifacts to disk without any interactive confirmation, warning banner, or consent checkpoint in this file. Because these artifacts are authentication material, silent capture and persistence increase the chance of credential theft, unintended account access, or later exfiltration by other local processes or tooling.

Ssd 3

High

Confidence: 95% confidence
Finding: The plan instructs users to manually extract a reusable authentication cookie from browser developer tools and persist it locally for automated access. Reusable session artifacts are high-value secrets: if the file is exposed through logs, backups, weak file permissions, malware, or accidental commits, an attacker may impersonate the user and access private Knowledge Planet data until the token expires or is revoked.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.