千川抖店数据抓取日报助手

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it scrapes scoped business dashboard data and optionally writes it to a user-configured Feishu spreadsheet with explicit enablement and confirmation gates.

Before installing, verify the configured Feishu spreadsheet token, sheet IDs, and cell ranges because enabling Feishu writes will modify that spreadsheet. Treat STORAGE_STATE_BASE64 or storage_state.json as sensitive login material, and only enable local report generation if storing scraped business data on disk is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The script unconditionally sends scraped account records to Feishu unless the downstream function decides to skip, but the top-level flow provides no explicit user consent step, sensitivity warning, or data classification check before external transmission. If the scraped records contain personal, internal, or otherwise sensitive account data, this can cause unintended disclosure to a third-party SaaS destination or the wrong sheet configuration.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal