Content Forge

Security checks across malware telemetry and agentic risk

Overview

This skill is a powerful content-conversion workflow, but it also gives agents instructions for paywall bypass, raw cookie use, external uploads, and persistent sharing destinations.

Install only if you are comfortable with a skill that may use browser automation, logged-in sessions or cookies, proxies, external AI services, and cloud document systems. Use it only with content you are authorized to access and transform, avoid pasting raw session cookies, review every external upload or write destination before running, and prefer local-only/manual input paths for paywalled, confidential, or personal material.

Publisher note

ContentForge Drop any Chinese content in and get AI podcasts, PPTs, mind maps, and deep reports instantly. Deeply customized for Chinese users with 5 killer templates built in: 📸 WeChat Pub → IMA: article link/text → podcast audio / mind map / flashcards 🎙 Xiaoyuzhou → Feishu: podcast link + AI transcript → Feishu doc (auto-sync) 🪐 ZhihuSpace → Mind Map: post text → structured mind map 📰 Caixin → Podcast: paid article → audio overview (~15min podcast) 📺 Bilibili/Video Account → PPT: video transcript → slide deck Localization: Chinese-first / Feishu integration / IMA knowledge base / local LLM fallback Core: 9 generation types / Playwright automation / 9/9 verified / 24h quota auto-reset / local-only / zero-config Stack: Playwright / NotebookLM / IMA API / Feishu API 内容工坊 ContentForge 把中文内容一键丢进，生成 AI 播客、PPT、思维导图、深度报告。中古用户深度定制，预置 5 大杀手场景： 📸 公众号 → IMA：公众号文章链接/文字 → 播客音频 / 思维导图 / 闪卡 🎙 小宇宙 → 飞书：播客链接 + AI 转写 → 飞书文档（自动同步） 🪐 知识星球 → 思维导图：星球帖子文字 → 结构化思维导图 📰 财新 → 播客：财新付费文章 → 音频概览（~15min播客） 📺 B站/视频号 → PPT：视频文字稿 → 演示文稿本地化适配：中文优先 / 飞书联动 / IMA 知识库 / 本地 LLM 兜底核心能力：9 种生成类型 / Playwright 浏览器自动化 / 实测 9/9 成功 / 24h 配额自动重置 / 纯本地处理 / 零配置技术栈：Playwright / NotebookLM / IMA API / 飞书 API

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (35)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill advertises broad network and shell-capable behavior without any declared permission model or user-facing scoping. In practice this can lead to silent execution of browser automation, CLI commands, external uploads, and local file access without clear consent boundaries, increasing the risk of data exfiltration or unintended side effects.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose understates materially sensitive behaviors: automated login to Google NotebookLM, reading local authentication state, taking screenshots, downloading files, and operating third-party services. This mismatch prevents informed consent and can cause users to expose credentials, private content, or generated artifacts to external systems they did not realize would be accessed.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This reference file explicitly prioritizes methods for bypassing paywalls and anti-scraping controls, including proxying, bot impersonation, mirrors, and local fetch fallbacks. In the context of a skill advertised as converting user-provided content into podcasts/PPTs/reports, these instructions materially expand the capability into unauthorized content acquisition, increasing legal, policy, and abuse risk.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The document introduces credential injection, user-agent spoofing, proxy routing, mirror usage, and anti-bot evasion techniques that are disproportionate to the stated content-transformation purpose. These mechanisms can be used to obtain restricted content without proper authorization and create a reusable playbook for circumventing publisher protections.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: Labeling 'user cookie injection' as the 'only 100% solution' normalizes active use of session credentials inside the skill and shifts the design toward accessing protected resources rather than transforming already-provided content. Even if intended for legitimate subscribers, this framing encourages credential handling as a primary mechanism without safeguards or scope limitation.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The scenario explicitly frames the feature as using methods to obtain paywalled Caixin content ('绕付费墙抓取') before converting it to audio. That exceeds a normal content-conversion workflow and introduces copyright/paywall-circumvention behavior, which is especially risky because the skill is presented as an end-user automation path rather than a compliance-reviewed archival or licensed ingestion tool.

Context-Inappropriate Capability

Critical

Confidence: 100% confidence
Finding: The acquisition strategy enumerates multiple circumvention paths—authenticated cookie reuse, AMP probing, mirrored WeChat copies, OCR from app screenshots, and manual extraction—to recover paid content. This is dangerous because it operationalizes unauthorized access and reuse of protected material, turning the skill into a playbook for defeating access controls rather than merely transforming user-provided content.

Context-Inappropriate Capability

Medium

Confidence: 81% confidence
Finding: The skill extends from content conversion into automated AirDrop, NAS placement, and podcast publishing/distribution. While not inherently malicious, this broadens the capability surface beyond the stated manifest and can facilitate wider redistribution of potentially unauthorized content, increasing legal and data-governance risk.

Description-Behavior Mismatch

Medium

Confidence: 76% confidence
Finding: Writing generated files to local Downloads and proposing NAS/RSS publication goes beyond simple conversion and creates persistence and redistribution risks. In the context of this scenario, that is more dangerous because the upstream content may have been obtained through questionable paywall-circumvention paths, making downstream storage and publication amplify the harm.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script’s stated purpose is path/check verification, but it performs real state-changing actions in a live NotebookLM account: creating a notebook, inserting content, and triggering generation. In an agent skill context, this is dangerous because a user may expect a harmless health check while the script actually mutates external account data and consumes service quotas.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: This file explicitly defines prioritized methods for accessing paywalled content, including proxying, bot impersonation, disguise, cache retrieval, browser automation, mirrors, and user-cookie use. That exceeds a normal content-conversion workflow and materially enables unauthorized access to restricted content, increasing legal, compliance, and platform-abuse risk.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The configuration names concrete evasion techniques such as 'bot-ua', 'generic-disguise', 'google-cache', 'wechat-mirror', and 'agent-fetch' for paywalled sites. These are not incidental implementation details; they operationalize bypass tactics that can defeat publisher access controls and can be repurposed for systematic scraping or content theft.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly promotes ingesting and transforming third-party content from sources including paywalled platforms, but the primary usage guidance does not prominently warn users about copyright, subscription compliance, or privacy/data-handling obligations. In a skill designed to fetch, summarize, and republish content into podcasts, PPTs, and reports, that omission increases the likelihood of misuse and unauthorized redistribution.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger phrases are so broad that common requests like converting content to a podcast or PPT may invoke this skill unexpectedly. Because the skill can automate external services and sync data, overbroad activation raises the chance that sensitive user content is processed or uploaded without the user's informed intent.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill highlights synchronization to Feishu and IMA and fallback model behavior, but does not prominently warn that user content may be sent to external services and stored locally or remotely. This omission is dangerous because users may submit copyrighted, confidential, or personal material without understanding retention, sharing, or residency implications.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The document tells users to add proxy variables to ~/.zshrc, which persists across future shell sessions and changes network routing for other tools, but it does not clearly warn about that scope or how to revert it. In this skill context, the behavior appears operational rather than malicious, yet it can still cause unintended traffic routing, privacy issues, or confusing failures in unrelated commands.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Requesting or accepting user login cookies without any warning or handling requirements exposes highly sensitive session credentials that can enable account takeover, subscription abuse, and privacy violations if logged, stored, or reused. The absence of safeguards is especially dangerous because cookies are bearer tokens and often grant immediate authenticated access.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The WeChat section instructs users to provide logged-in cookies for article access but omits any notice about account, session, and privacy risk. Because these cookies may grant access to personal account state and authenticated actions, mishandling them could compromise the user's account or expose private data.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The document explicitly contemplates accepting user-provided login cookies to access restricted content, but it does not define safe handling, storage, redaction, scope limitation, or disposal requirements for those credentials. Session cookies are highly sensitive secrets; mishandling can enable account takeover, unauthorized access to paid/private content, and leakage of a user's authenticated identity.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The guidance recommends detecting and configuring proxy settings for NotebookLM access without warning that proxies may route sensitive content, URLs, metadata, or generated artifacts through third-party infrastructure. In a skill that processes private articles, notes, and reports, silent proxy use can materially increase data-exposure risk.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The file instructs users to configure API credentials through environment variables but does not label them as secrets or warn against logging, echoing, committing, or exposing them in error output. While environment variables are common, failing to treat these values as sensitive can lead to credential leakage and unauthorized API use.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases are broad natural-language requests like “公众号深度分析” and “这篇文章深度分析,” which can overlap with ordinary user conversation and cause the skill to activate unintentionally. Because this skill can fetch external content and write results into IMA, Feishu, or local files, mis-triggering can lead to unintended processing and data modification without sufficiently explicit user intent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This section instructs the agent to write content to private notes, knowledge bases, Feishu documents, or local disk, but it does not require a clear user warning or confirmation before modifying those destinations. In practice, that increases the risk of unauthorized persistence, accidental overwrites, or storing sensitive article content in systems the user did not fully intend to update.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The workflow sends article content through WebFetch, Playwright-driven NotebookLM interactions, and a Gemini API fallback, but the document does not clearly disclose that content may leave the local environment and be transmitted to third-party services. This is especially risky because the sources may contain copyrighted, private, or subscription-only material, and the skill also automates browser-based uploads that can propagate data into external platforms without informed consent.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrases include very broad requests like '这堆文字整理成思维导图' and '这个帖子做成知识结构图', which can match many generic user intents outside the intended Knowledge Planet workflow. This can cause incorrect skill activation, leading the agent to process unrelated private text or route users into a workflow involving uploads, OCR, or third-party tools they did not intend to use.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal