ClawHub
Back to skill

Security audit

super-weiyun-skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Tencent Weiyun management skill, but it asks for account cookies, stores them insecurely, and exposes high-impact file actions with weak safeguards.

Install only if you are comfortable granting this skill access equivalent to your Tencent Weiyun session. Treat pasted Cookie headers and cookies.json like passwords, avoid using it on shared machines, review every upload/delete/share command before execution, and do not let an autonomous agent use permanent deletion or public sharing until the credential storage, trigger scope, command mappings, and confirmations are improved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes filesystem read/write and network operations, plus credential persistence to `cookies.json`, but the manifest does not declare any permissions. This creates a transparency and consent gap: an agent or user may invoke a capability set broader than expected, including local file modification and remote data transfer.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill claims a complete toolkit for destructive and account-affecting cloud operations, but the documented/implemented command mapping is inconsistent and partially nonexistent. This mismatch is dangerous because users and orchestrators may rely on promised safety/behavior guarantees while commands fail unpredictably or call the wrong backend actions, increasing the chance of unintended data loss or insecure fallback behavior.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest description emphasizes cloud storage management but does not clearly foreground that the skill supports destructive operations such as delete, overwrite, permanent deletion, and recycle-bin clearing. Understating destructive capability can cause accidental invocation in benign file-management contexts, especially by an autonomous agent selecting tools from descriptions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly instructs users to copy raw browser Cookie headers and pass them on the command line or store them in a local JSON file, but it does not warn that these cookies are authentication secrets equivalent to account access. This is dangerous because command-line arguments can be exposed via shell history and process listings, and plaintext cookie storage increases the risk of account takeover if the local system or logs are accessed.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list includes broad terms like `cloud storage`, `文件管理`, and unrelated/noisy phrases, which can cause the skill to activate in contexts not specifically about Tencent Weiyun. Overbroad triggering is dangerous here because the skill can perform networked file operations and destructive actions once selected by an agent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs users to copy raw browser cookies and pass them on the command line, then save them to `cookies.json`, without prominent warnings about credential theft, shell history leakage, or insecure local storage. These cookies can grant direct account access, so mishandling them can lead to full compromise of the user's Weiyun account and possibly linked Tencent sessions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script accepts highly sensitive browser session cookies and persists them to a local cookies.json file, but it does not warn the user that these cookies may grant account access or advise on secure storage. If the file is left on disk with weak permissions, copied into backups, or exposed on a shared machine, an attacker could reuse the cookies to access the user's Weiyun account.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The upload call forces overwrite=True for /README.md without asking for confirmation, which can unintentionally replace an existing remote file. In a cloud-storage management skill, this increases the chance of accidental data loss or destructive behavior if the script is run in the wrong account or directory context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code persists authentication cookies and session tokens to a JSON file on disk, including a raw cookie string and cookie dictionary, without warning the user about the sensitivity of those credentials or applying protections such as restrictive file permissions or secure storage. If another local user, process, backup system, or malware reads this file, the tokens may enable account hijacking for the Weiyun session.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The CLI exposes a permanent deletion path via `delete --permanent` and immediately invokes the destructive client operation without any additional confirmation prompt or safeguard. In a storage-management skill, this increases the risk of accidental irreversible data loss from mistyped paths, automation mistakes, or unsafe agent invocation.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.