公众号爆款文章查询

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its WeChat article-search purpose, but it ships a hardcoded Redfox API key and includes optional calendar subscription behavior that users should review carefully.

Install only after the publisher removes and rotates the exposed Redfox API key. Use your own REDFOX_API_KEY, assume search terms and dates are sent to redfox.hk, and only approve subscription creation when you want a recurring calendar reminder for that query.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill expands from article search into calendar-based subscription creation, which is a separate action affecting external user resources. Even if presented as convenience, bundling task creation into a search skill increases the chance of unexpected side effects and permission overreach beyond the user’s initial intent.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: This section mandates use of `calendar_create` after returning search results, turning a read-oriented search workflow into a write/action workflow against a calendar system. That is dangerous because it normalizes persistent external actions and could cause unwanted reminders, privacy leakage in calendar entries, or abuse if the agent executes without sufficiently granular consent.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The document contains a fixed X-API-Key value in a public request example, which is a real secret disclosure rather than a harmless placeholder. Anyone with access to the skill files can reuse the credential to call the external API, potentially consuming quota, accessing proprietary data, or causing billing and abuse issues for the key owner.

Description-Behavior Mismatch

Medium

Confidence: 85% confidence
Finding: The manifest says the skill is for keyword-based公众号 article search, but the implementation explicitly treats an empty keyword as a request for site-wide hot content. This is a scope mismatch that can cause the agent to return broader data than the user intended, weakening least-surprise and data-minimization expectations.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The example trigger phrases are very broad natural-language requests such as asking to 'find' or 'show' hot articles, which can easily overlap with ordinary conversational queries. Without explicit activation boundaries, an agent may invoke the skill unintentionally and send user prompts to the external service when the user only wanted discussion or brainstorming, creating unintended data disclosure and action-taking risk.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The subscription example mixes ordinary conversational wording with an action that creates a scheduled push task. If an agent treats casual mention of daily pushes as consent to subscribe, it could create persistent background actions or notifications the user did not explicitly authorize.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The README suggests activation using very broad natural-language phrases such as '帮我查一下…' and '最近全站有什么热门文章', without clear boundaries that distinguish ordinary conversation from intentional tool invocation. In an agent environment, this can cause accidental or prompt-injected activation, leading the skill to run searches or create subscriptions when the user did not explicitly intend to invoke this specific tool.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger description is broad enough to overlap with common requests about article search, hot content, and creative inspiration, which can cause accidental invocation. Over-broad triggering is risky because it may expose API-backed behaviors, network calls, or subscription prompts in contexts where the user did not intend to use this skill.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The request-header example exposes what appears to be a live credential without any warning, scoping note, or safe handling instructions. In the context of a search tool, this makes the skill more dangerous because the embedded key directly enables access to a third-party service unrelated to merely describing a data format.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: User-supplied keywords and date ranges are sent to an external service without any explicit disclosure in the skill interface or manifest. This creates a privacy and trust risk because users may not realize their queries are being transmitted off-platform to a third party.

Ssd 3

High

Confidence: 99% confidence
Finding: A hardcoded API key is present in documentation and can be copied verbatim for unauthorized API access. Because this is a content-discovery skill and not a credential-management component, embedding a reusable secret is unnecessary and increases the likelihood of abuse, service exhaustion, unauthorized data retrieval, and key compromise propagation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal