问卷网

Security checks across malware telemetry and agentic risk

Overview

The skill appears to manage Wenjuan surveys as advertised, but it can use saved account credentials to publish, stop, edit, delete, and export survey data with several high-impact actions relying on documentation rather than built-in confirmation gates.

Install only if you intend this skill to operate your Wenjuan account. Review each publish, stop, edit, delete, and export request before allowing it to run, keep ~/.wenjuan and the skill .wenjuan directory private, do not commit token or export files, and prefer installing Node.js yourself rather than relying on the auto installer.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (31)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The documentation presents `update_project` as a metadata-edit operation, but later reveals it may automatically stop collection and archive the project before editing. In a survey platform, those workflow transitions materially change the live state of a project and can interrupt ongoing data collection, so hiding them behind an innocuous update action creates a dangerous mismatch between operator expectation and actual behavior.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: This script bypasses the skill’s own stated safety requirement that users must explicitly confirm the survey title, type, and summary before opening collection. Because it performs one-click creation and publication from hard-coded presets, an operator or downstream agent could unintentionally publish a live assessment without the required human verification, causing unauthorized or incorrect public data collection.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly states that login credentials/tokens are written to `~/.wenjuan/` and `.wenjuan/auth.json`, but it does not warn users that these files contain sensitive authentication material that could be reused if copied, committed, or exposed on a shared machine. In an agent skill context, this is more dangerous because automation commonly runs in multi-user workspaces, CI environments, or synced directories where persistent tokens may be unintentionally disclosed.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README advertises exporting raw survey data without any warning that exported responses may include personal, confidential, or regulated data. In this skill's context, the risk is elevated because the platform is designed for surveys, forms, registrations, assessments, and data collection, making sensitive respondent information a normal and foreseeable output of the feature.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger guidance includes broad generic terms such as survey, collection, form, registration, testing, and similar phrases that can appear in many unrelated user requests. In this skill, unintended activation is more concerning because activation can lead to shell execution, login flows, browser launch, and publish/export operations against a real third-party account.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The instruction to directly use the skill for '收集一下大家的意见' is overly ambiguous because it could refer to informal brainstorming, document drafting, messaging, or many non-Wenjuan tasks. Given this skill's ability to create/publish projects and interact with account data, misrouting such vague requests could cause unintended external actions or account changes.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation explicitly enables export of raw questionnaire response data, which may include personal, sensitive, or administrative fields, but does not warn about data sensitivity, access control, retention, or secure handling. In a survey platform context this increases the risk that operators export respondent data to local storage or share it insecurely without understanding privacy and compliance implications.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The guide explicitly supports collection of sensitive personal data such as ID numbers, phone numbers, email addresses, location, department, and student/employee identifiers, but does not require consent prompts, purpose limitation, minimization guidance, or retention/handling safeguards. In a survey-building skill, this increases the risk that an agent will help create forms that collect regulated personal data without adequate notice or controls.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: File upload, image upload, and electronic signature inputs can collect highly sensitive content, identity evidence, or legal attestations, yet the guide provides implementation details without any warning about consent, acceptable use, malware risks, or secure storage implications. In this skill context, that omission can normalize creation of forms that request sensitive artifacts without appropriate user-facing disclosures or internal safeguards.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The documentation describes publishing and stopping survey collection but does not clearly warn that `publish` makes the survey live and able to collect external responses, while `stop` interrupts availability. In an agent setting, this omission can lead to unintended public launch or service interruption because the action changes real-world data-collection state, not just local configuration.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list is extremely broad and includes common terms like '调查', '表单', '报名', and '登记', which can appear in ordinary conversation outside the intended Wenjuan context. In an agent environment, this increases the chance of unintended skill invocation, potentially causing the agent to select a networked survey/export capability when the user did not actually intend to operate on Wenjuan.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The overview advertises raw response export as a normal capability but does not warn that exported survey data may contain personally identifiable information, sensitive assessments, contact details, or other regulated data. In this skill's context, exporting data is a high-risk action because the platform is explicitly used for forms, registrations, evaluations, and tests, all of which commonly contain sensitive respondent information.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The markdown acknowledges that editing may automatically stop collection and archive the project, but the warning is buried in notes instead of being presented as a primary operational risk. In this skill context, the account can manage real production surveys, so an unsuspecting user or agent could unintentionally take a live questionnaire offline, causing service disruption and loss of incoming responses.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation instructs users/agents to follow server-provided `instruction` values for updates, but it does not warn that this field is untrusted remote content and could suggest shell commands or other impactful actions. In an agent or automation context, this can create an instruction-injection path where a compromised or malicious update service causes unsafe actions such as arbitrary command execution, unsafe downloads, or destructive file changes.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script performs a write action that creates a survey question immediately after argument parsing and project selection, without a final explicit confirmation step summarizing the target project and the exact changes. In an agent-skill context, this is risky because an LLM or automation layer could invoke the tool with unintended parameters, causing unauthorized or accidental modification of live survey content.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The CLI prints the generated signature, appkey, timestamp, and all request parameters in cleartext. In a signing tool, these values may include sensitive business parameters or reusable authentication material, and they can be exposed through terminal history, CI logs, shell capture, or screen sharing. The skill context increases risk because this utility is explicitly designed to generate request signatures for API access, so its outputs are more security-sensitive than ordinary debug data.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script prints `device_code` directly to stdout, even though it is also treated as a secret when saved via `writeSecretFile`. In CLI and agent environments, stdout is commonly captured by logs, terminal history, orchestration systems, or other observers, which can expose this login secret and enable unauthorized completion of the login flow.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script unconditionally calls ensureReadyForEdit before performing edits, which can stop collection and archive a live survey as a side effect of a seemingly simple metadata update. In this skill context, that behavior can disrupt active data collection or business workflows if an agent invokes the tool without clearly informing the user that editing will change project state.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The workflow supports fetching JSON from an arbitrary remote URL and then importing that content into the Wenjuan platform without an explicit consent step warning the user that third-party content will be retrieved and retransmitted. This can leak sensitive questionnaire content or embedded personal data to external services unexpectedly, especially if users assume only local processing occurs.

Unpinned Dependencies

Low

Category: Supply Chain
Content: "author": "", "license": "MIT", "dependencies": { "axios": "^1.6.0", "open": "^10.0.0" }, "engines": {
Confidence: 90% confidence
Finding: "axios": "^1.6.0"

Unpinned Dependencies

Low

Category: Supply Chain
Content: "license": "MIT", "dependencies": { "axios": "^1.6.0", "open": "^10.0.0" }, "engines": { "node": ">=18.0.0"
Confidence: 87% confidence
Finding: "open": "^10.0.0"

External Script Fetching

Low

Category: Supply Chain
Content: *CentOS/RHEL/Fedora：* ```bash # 使用 NodeSource 安装最新版本 curl -fsSL https://rpm.nodesource.com/setup_20.x | sudo bash - # Fedora/CentOS 8+/RHEL 8+ sudo dnf install -y nodejs # CentOS 7/RHEL 7
Confidence: 95% confidence
Finding: curl -fsSL https://rpm.nodesource.com/setup_20.x | sudo bash

External Script Fetching

Low

Category: Supply Chain
Content: sudo apt-get install -y nodejs CentOS/RHEL/Fedora: curl -fsSL https://rpm.nodesource.com/setup_20.x | sudo bash - sudo yum install -y nodejs Windows:
Confidence: 95% confidence
Finding: curl -fsSL https://rpm.nodesource.com/setup_20.x | sudo bash

External Script Fetching

Low

Category: Supply Chain
Content: # 方式二：使用 nvm 管理 Node.js 版本（推荐） # 安装 nvm curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash # 安装 Node.js nvm install 20 nvm use 20
Confidence: 88% confidence
Finding: curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash

Known Vulnerable Dependency: axios==1.6.0 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-25639 (Axios is Vulnerable to Denial of Service via proto Key in mergeConfig) +7 more

High

Category: Supply Chain
Confidence: 97% confidence
Finding: axios==1.6.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal