Back to skill

Security audit

Multi Writing Skills Main

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real publishing and AI-writing tool, but it needs review because it stores powerful account credentials and can send or publish user content to external services with limited warnings and controls.

Install only if you are comfortable giving this skill publishing-account credentials and sending drafts, prompts, images, or CSS/image URLs to third-party services. Prefer environment variables or a restricted test account, avoid confidential drafts, verify whether each platform action creates a private draft or a public post, and do not use untrusted remote CSS or image URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (26)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The converter allows a caller-supplied api_endpoint and then POSTs the full Markdown content to that remote host. In an agent/skill context, this creates an arbitrary outbound network path that can exfiltrate document contents to attacker-controlled infrastructure or be abused for SSRF-like access if internal endpoints are reachable.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This converter injects unescaped user-controlled markdown content directly into HTML in multiple paths, including headers, blockquotes, tables, links, images, paragraphs, and inline formatting. An attacker supplying markdown with raw HTML or attribute-breaking payloads can produce scriptable or malicious HTML, leading to XSS or content injection in any consumer that renders the generated HTML.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to extract and set sensitive platform credentials, including browser cookies, but does not warn about the security risks of handling session tokens or storing them improperly. Cookies copied from developer tools may grant direct account access, so normalizing this workflow without guidance increases the chance of credential theft, accidental disclosure, or unsafe reuse in shared environments.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README advertises automatic image upload and multi-platform publishing but does not disclose that article text and images will be transmitted to third-party services. In a tool that also supports AI writing and image generation, lack of disclosure can cause users to unintentionally send confidential, copyrighted, or regulated content to external platforms and providers.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger conditions are very broad and map directly to common natural-language requests such as converting Markdown, publishing articles, writing content, and generating images. This increases the chance of unintended auto-invocation for ordinary user prompts, causing the skill to perform sensitive content transformation or publication actions without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises content rewriting, AI humanization, image generation, and one-click publishing to external platforms, but does not warn users that it may modify content and send it to third-party services. In this context, the lack of disclosure and confirmation is dangerous because users may unknowingly trigger irreversible or privacy-impacting actions, including publishing drafts or transmitting article content to external APIs.

Missing User Warnings

High
Confidence
91% confidence
Finding
The `config set` command stores sensitive values such as app secrets, cookies, and AI API keys, then persists them with `settings.save()` without warning users that credentials are being written to disk. This increases the risk of accidental credential exposure through weak file permissions, backups, shared machines, or source-control mistakes.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
When `--api` or `--ai` is used, article content is transmitted to external services, but the CLI provides no explicit disclosure or confirmation at the point of use. Users may unintentionally send confidential drafts or proprietary content off-host, especially because the feature is framed as a formatting/conversion option.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The write, rewrite, and humanize commands send user topics or full document contents to external AI providers, but the CLI does not make this explicit at invocation time. This can expose confidential or regulated content to third-party services without sufficiently informed consent.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The image generation flow sends prompts to external providers and may then download remote content from returned URLs, but the user is not clearly warned about either outbound prompt transmission or inbound remote retrieval. This can create privacy risk and, depending on provider behavior, exposure to untrusted remote content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The save() method persists highly sensitive material such as AI API keys, platform cookies, and app secrets to a YAML file in the user's home directory. Writing secrets to disk in plaintext increases the risk of credential theft from local compromise, backups, logs, shared accounts, or overly permissive filesystem permissions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code sends the Markdown body to an external API service without any visible disclosure, consent flow, or warning at the call site. If users supply sensitive drafts, secrets, or proprietary content, the skill silently transfers that data off-system, creating a privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code sends full Markdown content, including any embedded sensitive data, to third-party AI providers without any built-in disclosure, consent, redaction, or policy checks. In a writing/conversion skill, users may reasonably submit private drafts, credentials, internal docs, or unpublished content, so silent external transmission creates a real confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The converter sends the full markdown body and title to a remote endpoint, which can expose sensitive or proprietary content to third-party services. In a writing/conversion skill, this is contextually expected behavior, but it is still a real data disclosure risk when users are not clearly informed or given control over whether external transmission occurs.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function accepts arbitrary http/https URLs and fetches remote CSS, which creates an SSRF-like outbound request capability and causes implicit network access without clear disclosure. If an attacker can influence css_path, they may trigger requests to internal services, cloud metadata endpoints, or attacker-controlled hosts, and the fetched CSS is then trusted as theme input.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file allows custom themes to be loaded from arbitrary local paths or URLs via `css_path`, which can cause the application to fetch untrusted remote content or read unexpected local files depending on how `load_css_theme` is implemented. In a content-rendering pipeline, untrusted CSS can also become an injection vector for downstream HTML rendering, privacy leaks, or SSRF/local file access if user input controls the path.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code sends full user-provided content to third-party AI APIs, but the skill surface shown here provides no disclosure, consent flow, redaction, or policy guardrails before transmission. That creates a real privacy and data-governance risk, especially because the feature is specifically designed to process arbitrary user text that may contain sensitive or regulated information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The method accepts arbitrary image paths and will either fetch a remote URL or read a local file, then upload the resulting bytes to WeChat. If an attacker can influence `image_path`, this enables server-side request forgery against internal resources and unintended local file exfiltration to an external service, which is a real security issue beyond mere lack of disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The upload_image method will fetch any user-provided http/https URL server-side and then re-upload the contents, which creates an SSRF-like primitive and can be abused to make requests to arbitrary hosts. Even though cookies are not attached to the image fetch, this can still be used for internal network probing, unintended access to local services, or bandwidth/resource abuse in the environment running the skill.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The code sends user-provided topic, content, title, and context to an external AI API without any visible consent, warning, or minimization controls. In a writing assistant, users may paste sensitive drafts or proprietary material, so silent transmission to a third party creates a real privacy and data-governance risk.

Ssd 1

Medium
Confidence
86% confidence
Finding
User-controlled topic and context are interpolated directly into a single prompt with no delimiting, role separation, or instruction hierarchy protections. An attacker can embed adversarial text such as 'ignore prior instructions' into otherwise normal prose, causing the model to deviate from the intended writing task or produce unsafe/unreliable output.

Ssd 1

High
Confidence
95% confidence
Finding
The rewrite path is more dangerous because arbitrary source text is treated inline inside the prompt, so malicious instructions can be hidden in the text being 'rewritten.' Since rewriting untrusted content is a core feature here, prompt injection is highly plausible and can override task intent, leak surrounding prompt content, or generate manipulated outputs.

External Transmission

Medium
Category
Data Exfiltration
Content
async def _call_openai(self, system_prompt: str, user_content: str) -> str:
        """调用 OpenAI API"""
        base_url = self.config.base_url or "https://api.openai.com/v1"

        response = await self._client.post(
            f"{base_url}/chat/completions",
Confidence
94% confidence
Finding
https://api.openai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
async def _call_anthropic(self, system_prompt: str, user_content: str) -> str:
        """调用 Anthropic API"""
        response = await self._client.post(
            "https://api.anthropic.com/v1/messages",
            headers={
                "x-api-key": self.config.api_key,
                "anthropic-version": "2023-06-01",
Confidence
90% confidence
Finding
https://api.anthropic.com/

External Transmission

Medium
Category
Data Exfiltration
Content
# 预设的 API 端点
BUILTIN_ENDPOINTS = {
    "mdnice": "https://api.mdnice.com/api/v1/markdown",
    "wechat": "https://api.weixin.qq.com/cgi-bin/media/upload",  # 示例
}
Confidence
86% confidence
Finding
https://api.mdnice.com/

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.