Back to skill

Security audit

腾讯文档Markdown

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Tencent Docs Markdown automation tool that requires sensitive account cookies and can modify documents, but the behavior is coherent with its purpose and includes reasonable user-facing safeguards.

Install only if you are comfortable granting this skill reusable Tencent Docs account access. Prefer a dedicated automation account, verify document URLs and titles before update/delete/rename, avoid -y/--yes unless certain, and run logout or delete .cookies.json when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Tainted flow: 'doc_url' from requests.get (line 94, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
except Exception:
        raise RuntimeError(f"Invalid docUrl: {doc_url}")

    resp = requests.get(
        doc_url,
        headers={
            **get_headers(cookies),
Confidence
95% confidence
Finding
resp = requests.get( doc_url, headers={ **get_headers(cookies), 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', },

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill exposes broad capabilities including file read/write, network access, and shell execution, yet the skill metadata declares no permissions. This creates a transparency and policy-enforcement gap: an agent or user may invoke a highly privileged skill without understanding that it can access local files, persist credentials, call external services, and run local commands.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The declared description focuses on Markdown document management, but the documented behavior also includes browser automation, QR-code login, persistent session-cookie storage, logout/relogin flows, local QR rendering, and release/publish tooling. This mismatch is dangerous because users and policy engines may authorize the skill for low-risk document handling while it actually performs credential acquisition/storage and broader local-system actions.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The authentication module automatically launches the system's default external application to display the QR image, which exceeds the minimum privilege needed for a document skill. While not an obvious exploit by itself, invoking external handlers can expose users to unexpected application launches, local handler quirks, and unnecessary expansion of the trust boundary.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Broad trigger phrases for upload/sync style actions can cause accidental activation when a user is discussing files in general rather than intending Tencent Docs operations. In this skill, mistaken invocation is more dangerous than usual because activation can lead to local file reads, network uploads, and document modification in a real account.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Several upload/sync triggers are underspecified and do not clearly constrain the target platform to Tencent Docs. This can cause the agent to route generic file-sync requests into a credentialed document-management skill, potentially exposing local content or overwriting remote documents without the user's clear intent.

Vague Triggers

Low
Confidence
84% confidence
Finding
Login triggers like '重新登录' and 'Cookie过期了' are vague and may fire outside this skill's intended scope. Because the skill launches browser-based authentication and persists account cookies, an accidental trigger can initiate unnecessary credential workflows and session changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.