Zero-to-Launch

Security checks across malware telemetry and agentic risk

Overview

The main skill is a product-planning coach, but the package also includes unrelated WeChat publishing tools with account credentials and write access to a third-party platform.

Review before installing. The prompt itself appears usable for product planning, but the package should remove or clearly separate the WeChat publisher, delete and rotate the exposed WeChat secret, avoid checked-in config.json secrets, and align all documentation and metadata to one skill identity before normal installation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The documentation describes a different skill identity ('Product Sense Coach') than the manifested skill ('zero-to-launch'), which can mislead users and reviewers about the capability, scope, and expected behavior of the installed agent. In security terms, identity and scope mismatch undermines trust boundaries and can cause users to invoke a skill under false assumptions, increasing the chance of unintended prompt injection, data exposure, or misuse of a broader skill than advertised.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The blog post documents a different skill name and framing ('Product Sense Coach') than the manifested skill ('zero-to-launch'), creating a documentation/identity mismatch. This can mislead users and integrators about what will actually run, weakening informed consent and making prompt-behavior review, deployment approval, and policy checks less reliable.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script directly overwrites a local publishing artifact (`blog-post-wechat.html`) on disk, which is outside the stated product-discovery and launch-planning scope of the skill. Even without overtly malicious behavior, this kind of hidden file mutation increases the attack surface because a user invoking an advisory skill would not reasonably expect local content files to be modified.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: This code performs specialized WeChat HTML transformation, sanitization, and compression that is unrelated to the skill's declared zero-to-launch advisory purpose. Capability/scope mismatch is dangerous because it can conceal unauthorized publishing-pipeline manipulation inside a skill that users would trust for brainstorming and planning rather than artifact processing.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: This file implements a full WeChat publishing CLI that obtains OAuth-style access tokens, uploads media, and creates article drafts, which is materially unrelated to the declared skill purpose of product ideation and launch planning. Hidden or unjustified outbound publishing capability in a mismatched skill increases the risk of unauthorized content publication, credential misuse, and supply-chain abuse because users may not expect this skill to perform actions against an external publisher account.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code contains direct external content-publishing capability to WeChat, including token retrieval, image upload, and draft creation APIs, without justification from the skill's stated business purpose. In the context of an ideation/planning skill, this creates an unexpected action surface that could be abused to exfiltrate content, misuse stored secrets, or publish material to a third-party account without users fully understanding the capability.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger list includes very broad everyday phrases such as '我想做', '有个想法', and '从零开始', which can cause the skill to activate in many unrelated contexts. Overbroad activation increases the chance of unintended invocation, context capture, and tool use such as web searches when the user did not actually request this workflow.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The 'When to Use' section defines activation conditions so broadly that normal discussion about ideas, startups, or wanting help thinking can match. This weak boundary-setting can lead to the skill steering conversations unexpectedly and broadening data collection beyond user intent.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The phrase '我有一个产品想法想聊聊' is broad enough to match normal conversation, so the skill may auto-activate when a user is merely brainstorming rather than intentionally invoking this specific workflow. Unintended activation is risky because it can silently shift the assistant into a specialized prompt regime, changing behavior, collecting more structured information, or overriding the user's expected interaction context.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The README explicitly tells users to place a highly sensitive WeChat AppSecret into a local config.json file, but provides no warning about treating it as a secret, excluding it from version control, or using safer secret-management options. This can easily lead to accidental disclosure through Git commits, backups, logs, screenshots, or sharing the project directory, which would allow unauthorized use of the公众号 API within the scope of that credential.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script overwrites the source HTML file immediately with `fs.writeFileSync` and gives no confirmation, backup, or rollback path. This is dangerous because a mistaken run, bad regex replacement, or unexpected input can silently corrupt the original publishing artifact and cause data loss or hard-to-detect content changes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal