Back to skill

Security audit

Zhanfu Playwright

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for ZhanFu store automation, but it asks for account passwords in chat and ships or writes local business state while controlling a live desktop client.

Install only if you are comfortable giving the agent control over ZhanFu, live store browsers, local cache deletion, and store creation. Avoid pasting real passwords into normal chat unless your environment provides secure secret handling, clear the bundled mall cache before use, and require explicit confirmation before login, cache clearing, client restart, or broad page automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
kw: dict[str, Any] = dict(capture_output=True, text=True, timeout=15)
        if hasattr(subprocess, "CREATE_NO_WINDOW"):
            kw["creationflags"] = subprocess.CREATE_NO_WINDOW
        r = subprocess.run(["powershell", "-NoProfile", "-NoLogo", "-Command", ps], **kw)
        if r.returncode != 0:
            return None
        t = (r.stdout or "").strip().strip('"')
Confidence
78% confidence
Finding
r = subprocess.run(["powershell", "-NoProfile", "-NoLogo", "-Command", ps], **kw)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly uses powerful capabilities including file read/write, network access, environment access, and shell execution, yet no permissions are explicitly declared. That creates a transparency and governance gap: operators and users cannot accurately assess what the skill can do before installation, and automated policy enforcement may fail to constrain risky operations such as process killing, local state persistence, and HTTP control of a desktop application.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The description presents the skill primarily as headed Playwright automation using HTTP before CDP, but the body also authorizes process termination, install-path discovery, credential-based login, persistent local state, shop creation, cache clearing, and client exit operations. This mismatch can mislead users and reviewers about the real trust boundary and operational impact, increasing the chance that a user triggers sensitive local or account actions they did not expect.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The skill performs host-level PowerShell inspection of desktop shortcuts, which exceeds simple WebDriver/Playwright browser automation and broadens access to local OS state. In an agent-skill context, undeclared host introspection is dangerous because users may not expect the skill to enumerate desktop artifacts or execute shell tooling at all.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script force-terminates the ZhanFu client process tree as part of restart handling, which is a host process-management capability beyond normal browser automation. In an agent environment this can disrupt user workflows, destroy unsaved state, and be abused to interfere with other local activity if the matching process name is broader than expected.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger guidance intentionally accepts loose natural-language phrasing for sensitive actions like opening software and stores. Overly broad invocation patterns raise the risk of accidental activation or misrouting, especially in conversational contexts where ambiguous wording may be interpreted as authorization to perform impactful local actions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill allows open-ended natural-language requests for browser actions such as opening URLs, filling forms, and scraping page data after a store opens. That broad trigger surface can enable unintended data access or sensitive actions if the model overgeneralizes a user's request, particularly because the browser session is tied to a live store environment.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs users to provide a ZhanFu account and password directly in chat without a prominent credential-sensitivity warning or a safer collection mechanism. This exposes credentials to conversational logging, model retention controls, and operator visibility, making account compromise more likely if logs or transcripts are accessed improperly.

Missing User Warnings

High
Confidence
95% confidence
Finding
The store-creation flow solicits optional store account/password fields without warning users that these are sensitive secrets or explaining how they will be handled. Because the skill also persists local state and performs account-linked automation, collecting such credentials in-band materially increases exposure risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
The Login section operationalizes direct username/password submission for authentication but omits a clear privacy and handling notice at the point of collection. Even though it says not to use test accounts, it still normalizes plaintext credential entry into the assistant workflow, which is dangerous in environments with transcript storage or multi-tenant review.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document exposes destructive operations like ClearCacheFolder and ClearCache that delete browser/user data and logs, but it does not require an explicit confirmation or prominent warning about irreversible deletion and operational impact. In an automation skill that may be executed by an agent, this increases the risk of accidental data loss, loss of forensic artifacts, or disruption of active store environments.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The script writes multiple local state files, including install paths, API ports, shop identifiers, and opening intent, without an explicit consent step or data-retention notice. In a skill setting this can leak operational metadata, create persistence users did not request, and leave sensitive business context on disk for other local users or tools to read.

External Transmission

Medium
Category
Data Exfiltration
Content
last_err: Optional[Exception] = None
        for i in range(retries):
            try:
                resp = requests.post(
                    self.base_url,
                    json=payload,
                    headers={"Content-Type": "application/json"},
Confidence
72% confidence
Finding
requests.post( self.base_url, json=

Unpinned Dependencies

Low
Category
Supply Chain
Content
playwright>=1.40.0
requests>=2.28.0
Confidence
88% confidence
Finding
requests>=2.28.0

Known Vulnerable Dependency: requests==2.28.0 — 8 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +5 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
requests==2.28.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.