Multi Writing Skills Main

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real publishing and AI writing tool, but it stores account secrets and can transmit or publish user content with weaker disclosure and controls than its authority warrants.

Install only if you are comfortable giving this skill high-value publishing credentials and sending drafts/prompts to third-party services. Prefer environment variables or a restricted account, avoid confidential drafts, verify whether each platform action creates a private draft or public post, and avoid untrusted remote CSS/image URLs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (20)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The module description presents the component as a Markdown converter but does not disclose that, in API mode, full document content may be transmitted to an external service. This is a real security/privacy concern because users or integrators may process sensitive drafts, credentials, or proprietary text without realizing it leaves the local environment.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The docstring for the API conversion helper understates behavior by describing only conversion, while the implementation posts the supplied Markdown to a configurable remote endpoint. That omission can cause unsafe assumptions during review and deployment, especially when the input may contain confidential content.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: This converter injects unescaped user-controlled content into HTML elements and attributes in multiple places, including title, headers, links, images, table cells, blockquotes, paragraphs, and list content. An attacker can craft Markdown that breaks out of attributes or inserts raw HTML/JavaScript payloads, leading to XSS or HTML injection wherever the generated HTML is rendered, and the reassuring docstring makes the issue more concerning because it may create a false sense of safety.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README instructs users to collect sensitive platform credentials and browser cookies, then use them for automated publishing, but it does not warn about credential sensitivity, secure storage, account takeover risk, or the consequences of automated posting. In an agent/skill context, this increases the chance that users hand over high-value secrets or trigger unintended account actions without informed consent.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The README advertises image generation through third-party AI providers but does not disclose that prompts and possibly related content may be transmitted to external services. Users may unknowingly send confidential, copyrighted, or sensitive material to providers with separate retention and policy terms.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The skill is configured to auto-trigger on very broad natural-language intents such as writing, converting, publishing, and image generation, without clear scoping or confirmation boundaries. In an agent environment, this can cause unintended invocation of capabilities that may transform content or publish externally when the user did not explicitly request this exact skill, increasing the risk of accidental actions and data exposure.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The documentation prominently advertises one-click publishing to WeChat, Zhihu, and Toutiao, plus AI/image features, but does not warn that article content, prompts, or images may be transmitted to third-party platforms or model providers. This is dangerous because users may provide sensitive drafts or proprietary content without realizing it will leave the local environment and be sent to external services.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The image-generation flow not only sends prompts to external providers but also downloads a remote URL and writes the response directly to a user-chosen path without validating the URL origin, checking content type, or enforcing size limits. If a provider or upstream service returns a malicious or unexpected URL/response, the tool could save arbitrary content to disk, potentially causing overwrites, disk exhaustion, or storing dangerous files under trusted filenames.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The save() method persists sensitive values such as API keys, app secrets, and cookies to a YAML file under the user's home directory. Storing credentials on disk in plaintext increases exposure to local compromise, backups, accidental sharing, and other processes or users reading the file if permissions are too broad.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: This code sends complete Markdown content to an external HTTP API, potentially including sensitive text and embedded links, without any built-in warning, consent mechanism, allowlist, or restriction on the destination. In an agent skill context, that is more dangerous because upstream users may assume content transformation is local and may unknowingly exfiltrate proprietary or personal data.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code sends full Markdown content to third-party AI providers (OpenAI, Anthropic, Gemini) over the network, but there is no consent, warning, redaction, or policy gate before transmission. If users process confidential, proprietary, or regulated content, this can cause unintended data disclosure to external services and violate privacy or compliance requirements.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The converter sends full markdown content and title to a remote endpoint, which can expose sensitive or proprietary user data to third parties. In this skill context, the endpoint may be user-supplied or selected from built-ins, and there is no visible consent, warning, allowlist enforcement, or data minimization before transmission.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The function fetches CSS from arbitrary user-supplied HTTP/HTTPS URLs, which can trigger outbound network access to attacker-controlled destinations. In agent or server environments this creates SSRF-style risk, enables internal network probing if reachable URLs are allowed, and may leak network metadata or be abused for unexpected egress.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code sends full user-provided content and prompts to third-party AI endpoints without any built-in notice, consent check, or data handling guardrails. This creates a real privacy and compliance risk because sensitive or proprietary text may be transmitted externally by default, especially since multiple providers are supported and custom endpoints are allowed.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The provider decodes returned image data and writes it to a NamedTemporaryFile with delete=False, creating a persistent file on disk. If the host is multi-user, compromised, or handles sensitive prompts/images, this can leave recoverable artifacts and expose generated content beyond the intended lifetime of the operation.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The adapter will fetch arbitrary attacker-controlled URLs when `image_path` starts with http/https, then re-upload the response content to Toutiao. This creates an SSRF-style primitive that can be abused to make requests to internal services or cloud metadata endpoints, and may also process unexpected large or non-image content without validation.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The adapter accepts arbitrary http/https URLs for image_path, fetches them server-side, and then re-uploads the content to WeChat without validation, disclosure, or restrictions. This creates an SSRF-style primitive and unintended third-party data transfer risk, especially if untrusted users can supply image URLs or if internal-only endpoints are reachable from the host running this code.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The upload_image method will fetch arbitrary attacker-controlled URLs and then upload the response body to Zhihu, which creates an SSRF-like capability and can also exfiltrate internal or local-network accessible resources through the server running this code. Because the same function also uploads local files by path with no allowlist, confirmation, or path restrictions, misuse could disclose sensitive data to a third party if untrusted input reaches image_path.

External Transmission

Medium

Category: Data Exfiltration
Content: async def _call_openai(self, system_prompt: str, user_content: str) -> str: """调用 OpenAI API""" base_url = self.config.base_url or "https://api.openai.com/v1" response = await self._client.post( f"{base_url}/chat/completions",
Confidence: 91% confidence
Finding: https://api.openai.com/

External Transmission

Medium

Category: Data Exfiltration
Content: async def _call_anthropic(self, system_prompt: str, user_content: str) -> str: """调用 Anthropic API""" response = await self._client.post( "https://api.anthropic.com/v1/messages", headers={ "x-api-key": self.config.api_key, "anthropic-version": "2023-06-01",
Confidence: 90% confidence
Finding: https://api.anthropic.com/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal