微信公众号文章自动化写作

Security checks across malware telemetry and agentic risk

Overview

This is mainly a WeChat article-writing skill, but it deserves review because it can rewrite its own rule files and keeps user drafts/research on disk by default.

Install only if you are comfortable with local retention of drafts and with reviewing any Step 8 changes before they modify the skill. Avoid confidential drafts unless you control the workspace and helper tools, and treat generated RAG/API setup guidance as needing extra privacy and credential-handling review.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill includes a built-in workflow to '复盘并更新 Skill' by modifying its own reference files and, if needed, SKILL.md itself based on content diffs. That creates a self-modifying prompt surface: untrusted article inputs or a maliciously crafted 'final published version' can poison future behavior, persist prompt injection, or silently weaken safety constraints over time.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The instructions explicitly allow changing reference files and potentially SKILL.md, even though the declared purpose is article writing. This exceeds the minimum privilege required for the task and enables persistent tampering with the skill's future rules, which can be abused to implant malicious instructions, data exfiltration logic, or disable safeguards across later runs.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The file contains a complete RAG application stack with Elasticsearch, MongoDB, web ingestion, local model setup, and a Streamlit chat UI, which materially exceeds the declared purpose of a skill meant to help write/edit WeChat articles in a specific style. This expands the operational capability of the skill toward data ingestion and retrieval over external/local content, increasing attack surface and the chance that the agent may perform unintended networked or data-processing actions outside user expectations.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The content instructs users to install Ollama and configure Hugging Face model downloads via an external mirror, introducing network-backed model retrieval capabilities not justified by the skill's stated writing purpose. In the context of an agent skill, this kind of undeclared external dependency expansion can lead to unreviewed downloads, supply-chain exposure, and behavior that surprises users who expected a bounded writing assistant.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill requires saving user-provided drafts, generated edits, and final outputs to persistent local paths as a mandatory step, but it does not disclose retention, obtain consent, or minimize what is stored. For writing workflows, drafts often contain unpublished business plans, personal experiences, or proprietary text, so mandatory retention increases confidentiality and privacy risk if the workspace is shared or later accessed by other tools.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill defaults to networked research and instructs the agent to fetch external pages whenever facts or new topics are involved, without a clear user-facing warning that prompts or topic details may drive outbound requests. In a writing assistant context, themes can reveal confidential projects, unreleased strategies, or sensitive personal material, so automatic external lookup expands the data exposure surface.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The article states that AnythingLLM can also use OpenAI, Gemini, and Mistral API services, but it does not warn readers that choosing those providers may transmit prompts, retrieved document content, or metadata to third-party services. In the context of a skill teaching users to build a local knowledge base for private documents, that omission can mislead users into thinking all configurations preserve local-data privacy, creating a real privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The markdown shows fetching arbitrary web pages into a knowledge base using a web reader, but provides no warning about privacy, copyright, data handling, or the fact that URLs and fetched content may involve external transmission and storage. In a skill presented as an article-writing aid, this is risky because users may unknowingly ingest sensitive or proprietary pages into persistent stores such as MongoDB and Elasticsearch.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger examples are broad, generic user requests such as asking for help writing or editing an article, which can cause the skill to be invoked in situations beyond its intended scope. Over-broad activation increases the chance of accidental routing, unexpected data exposure to the skill, and user confusion about which capability is being used.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The skill mandates persistent logging of inputs, research, drafts, edits, and final outputs in run directories and explicitly states they are not automatically deleted. This creates unnecessary long-term retention of potentially sensitive user content and browsing-derived material, increasing the chance of later leakage, unintended reuse, or cross-task access by other agents and users on the same system.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal