公众号文案创作

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its WeChat copywriting purpose, but it ships a plaintext RedFox API key and under-discloses handling of personal writing samples.

Review before installing. Do not use the bundled plaintext API key; create your own RedFox key with revocation controls, and the publisher should rotate and remove the exposed key. Avoid pasting private diaries, confidential drafts, client material, regulated data, or anything you would not want processed by your assistant or reflected in generated copy.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: The skill instructs the agent to read arbitrary structured documents and perform web searches for competitive intelligence, expanding data access beyond the stated purpose of article trend retrieval and drafting. That scope creep can expose unrelated local or connected data to the model and increase the chance of unauthorized collection or misuse of sensitive business information.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The document exposes a live third-party API key in plaintext, which is a credential disclosure vulnerability. Anyone with access to this file can reuse the key to query the vendor API, consume quota, incur costs, or access data under the skill owner's account; because this is a writing assistant rather than an infrastructure tool, embedding operational secrets in public-facing documentation is especially unjustified and increases risk.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The README says users can invoke the skill by simply describing their needs in natural language, without defining clear activation boundaries. In an agent environment, broad trigger guidance can cause accidental invocation on ordinary writing-related requests, which may send user prompts or content to the external RedFox-backed workflow without the user realizing this specific skill was activated.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The example phrases are common requests such as writing an article or blending personal style, which overlap heavily with normal assistant usage. This increases the risk of unintended invocation, especially because the skill can process user-authored content and potentially involve external services, causing privacy and routing issues beyond the user's expectations.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill promotes uploading personal writing samples for style analysis but does not clearly warn that this user-provided content may be sent to an external service or processed outside the local agent context. Users may unknowingly share sensitive personal, business, or unpublished material, creating confidentiality and data-handling risks.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The README instructs users to invoke the skill with broad natural-language requests such as '帮我写一篇…' without clearly constraining when the skill should activate versus when a general assistant should respond. This can cause over-triggering, accidental routing of unrelated user prompts into the skill, and unintended transmission of user-provided content to the external Redfox-backed workflow, increasing privacy and misuse risk.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill advertises uploading personal writing samples for style analysis but does not warn users about privacy risks, retention, third-party processing, or the possibility that samples may contain personal or confidential information. Because writing samples often include identifiable patterns, private experiences, or sensitive business text, omission of this warning can lead to inadvertent disclosure.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill asks users to upload personal writing samples but provides no warning against including sensitive or private information. Users may paste diaries, notes, or other text containing personal data, which could then be processed, retained, or surfaced in generated content without informed consent.

Missing User Warnings

High

Confidence: 98% confidence
Finding: This markdown not only documents an external API but also includes a usable credential with no warning or handling guidance, making accidental leakage and misuse more likely. In the context of a content-generation skill, users do not need direct access to backend secrets, so the presence of the key in docs materially increases the attack surface without serving a legitimate user-facing purpose.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill explicitly directs the model to analyze personal writings and reuse that material in output, creating a risk of memorization, overexposure, or reproduction of sensitive personal content. In this context, the danger is higher because the requested sources include intimate materials like notes, diaries, and essays, which commonly contain private data and identifiable writing traits.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal