Skill Trust Decision
问专家技能
Skill documentation explicitly mentions bypassing robot detection and operating on authenticated browser sessions, suggesting potential for unauthorized automation and terms-of-service violations.
Most direct threat evidence
High RCE
Bypass robot detection declared as legitimate use case The skill explicitly lists 'bypass robot detection scenarios' as an applicable use case. This suggests the tool is designed to circumvent anti-bot measures, which could violate terms of service of various platforms.
SKILL.md:58 Why this conclusion was reached
1/4 dimensions flagged Pass
Declared vs actual capability
Declared resources and inferred behavior are broadly aligned.
Pass
Hidden execution and egress
No obvious high-risk egress or execution signals were found.
Block
Attack chain and severe findings
The report includes 0 attack-chain steps and 1 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
What drove the risk score up
Bypass robot detection declared +25
SKILL.md explicitly lists 'bypass robot detection scenarios' as use cases
Authenticated session manipulation +15
Operates on user's already-logged-in browser without explicit user consent mechanism
No implementation code to audit +10
Only SKILL.md exists - actual execution logic cannot be verified
Automation tools (pyautogui) +5
Uses mouse automation which could enable screenshot harvesting or click fraud
Most important evidence
High RCE
Bypass robot detection declared as legitimate use case
The skill explicitly lists 'bypass robot detection scenarios' as an applicable use case. This suggests the tool is designed to circumvent anti-bot measures, which could violate terms of service of various platforms.
SKILL.md:58 Remove bypass robot detection use cases. This functionality could facilitate unauthorized automated access to services.
Medium Doc Mismatch
Skill name misleads about actual functionality
Skill is named '问专家技能' (Ask Expert Skill) but actually automates browser control through Playwriter. The actual behavior (browser automation) is not apparent from the name.
SKILL.md:1 Rename skill to accurately reflect browser automation functionality
Medium Sensitive Access
Authenticated session manipulation without explicit consent
The skill operates on a user's already-logged-in Chrome browser. This means it can potentially access any authenticated sessions (email, banking, social media) without explicit per-action user consent.
SKILL.md:1 Implement explicit user consent workflow before each authenticated action.
Low Supply Chain
No implementation files to audit
Only SKILL.md documentation exists. Actual execution code cannot be reviewed for hidden behavior.
SKILL.md:1 Request full implementation code before production deployment.
Declared capability vs actual capability
Shell Pass
Declared WRITE
→ Inferred WRITE
SKILL.md - uses bash, python3 subprocess Browser Pass
Declared READ
→ Inferred READ
SKILL.md - controls Chrome via Playwriter Filesystem Pass
Declared WRITE
→ Inferred WRITE
SKILL.md - screenshot saving Suspicious artifacts and egress
No obvious IOC was extracted.
Dependencies and supply chain
There are no structured dependency warnings.
File composition
1 files · 88 lines
Markdown 1 files · 88 lines
Files of concern · 1
SKILL.md Skill name misleads about actual functionality · Bypass robot detection declared as legitimate use case · Authenticated session manipulation without explicit consent · No implementation files to audit
Security positives
Uses documented Playwriter tool (open source browser automation framework)
No base64-encoded strings or obfuscated code observed
No credential harvesting or environment variable access detected
No network requests to external IPs documented