Security audit

toutiao draft

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it automates saving user-provided content and optional images into a logged-in Toutiao draft box, with no hidden code or install hooks.

Install only if you want an agent to operate your logged-in Toutiao creator session. Before running it, check the active account, content batch, and image URLs; avoid untrusted image links and clean up staged files if needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs the agent to download external images, write them to a local path, and use a logged-in browser session to create drafts on a third-party account, but it does not require clear user confirmation or disclose these side effects before acting. This creates a real risk of unintended network access, local file persistence, and account-side modifications, especially if triggered by loosely scoped user requests or untrusted markdown content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal