Security audit

科技新闻每日推送

Security checks across malware telemetry and agentic risk

Overview

This news-push skill mostly matches its stated purpose, but it ships with a hard-coded Enterprise WeChat webhook and unsafe optional server behavior that users should review before use.

Before installing, remove the embedded WeCom webhook key from all scripts, rotate that webhook if it is real, and configure your own destination through a secret or local config. Verify the cron schedule before enabling it. Do not run email_webhook.py on a reachable network unless it is bound to localhost and protected, and consider removing the health-check directory listing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The GET endpoint is labeled as a health check, but it also discloses the absolute save directory path and enumerates stored email filenames to any caller. This creates an information disclosure issue that can leak internal filesystem structure and sensitive metadata about received emails, making reconnaissance and follow-on attacks easier.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill automatically fetches content from external sites and forwards processed results to WeCom, but the user-facing description does not clearly foreground that it performs recurring network retrieval and outbound transmission. This can undermine informed consent and cause unanticipated data flow into third-party services or corporate channels, especially in automated cron-driven deployments.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The documentation instructs users to place a WeCom webhook URL directly in code without warning that it is a sensitive secret. If that URL is committed to a repository, shared in screenshots, or copied into logs, an attacker could use it to send unauthorized messages into the enterprise channel, enabling phishing, spam, or social-engineering abuse.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script contains a hard-coded Enterprise WeChat webhook secret and can automatically send content to that external endpoint without interactive confirmation. Embedding the webhook key in source code risks credential leakage and unauthorized message sending if the file is exposed, modified, or reused in another environment.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The code is designed to send generated summaries and links to an external WeCom webhook, and the webhook secret key is hard-coded in the source. This creates an unauthorized data egress path and exposes a credential that could be reused by anyone with code access to post messages to the organization’s WeCom bot, enabling spam, impersonation, or disclosure of collected content.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The module performs outbound HTTP requests immediately when the file is executed/imported, which creates side effects without explicit user consent. This is risky in agent environments because simply loading the skill can trigger network access, leak environment metadata such as IP/User-Agent to third parties, and cause unintended external interactions.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal