Security audit

Qmsg Push

Security checks across malware telemetry and agentic risk

Overview

This is a real QQ notification skill, but it under-discloses its required credential and third-party data transfer.

Install only if you are comfortable storing a Qmsg key locally and sending notification contents to qmsg.zendee.cn. Treat the Qmsg KEY as a secret, keep it out of logs and version control, restrict the secrets file permissions, and do not send tokens, passwords, personal data, or sensitive command output through this skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill documentation describes capabilities that read a local secret file and perform outbound network transmission, but it does not declare permissions or otherwise make those capabilities explicit. This weakens user consent and platform enforcement because a seemingly simple notification skill can access local credentials and send data externally without clear upfront disclosure.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill claims it works 'without API Key' while the instructions require obtaining a KEY and storing it in secrets.json. This mismatch is security-relevant because it can mislead users about credential handling, trust assumptions, and the actual sensitivity of the setup, increasing the chance that secrets are stored or shared unsafely.

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The README instructs users to place a live Qmsg credential in a local secrets file but does not warn that the key is sensitive or recommend protecting the file with restrictive permissions. If that file is left readable by other local users, committed to version control, or included in backups/logs, the key could be exposed and abused to send unauthorized notifications via the user's Qmsg account.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The markdown instructs users to send arbitrary message content to a third-party push service but provides no explicit warning that message contents leave the local environment. In this context, automation-generated messages may contain sensitive operational, personal, or secret data, so missing privacy disclosure raises the risk of unintended data exfiltration.

Credential Access

High

Category: Privilege Escalation
Content: ## 工作流程 1. 自动化任务触发 → 创建临时 agent 2. agent 读取 `~/.workbuddy/qmsg_push.py` 和 `~/.workbuddy/secrets.json` 3. 执行脚本，消息推送至配置的 QQ 号
Confidence: 89% confidence
Finding: secrets.json

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal