tuzi-skills-bundle
Audited by Socket on Mar 22, 2026
9 alerts found:
Anomalyx7Securityx2The code is not overtly malware (no suspicious remote exfiltration, no obfuscation, no hard-coded credentials). However, it intentionally extracts Google authentication/session cookies via a locally started browser's DevTools Protocol and persists them to disk. That capability is high-privilege and privacy-sensitive: if misused or run in an untrusted environment it can enable account takeover or session theft. Treat this module as sensitive: review how and where cookies are persisted (file permissions and consumers), ensure it runs only in trusted contexts, and consider requiring explicit user consent/secure storage for extracted cookies.
SUSPICIOUS. The skill's main capability matches its stated purpose, but its footprint is elevated because it uses a reverse-engineered Gemini web flow, depends on browser cookies/profile access, and runs through a runtime download/execute path. I see no strong evidence of outright malware or third-party exfiltration, but the auth model and local access are disproportionate compared with an official Gemini integration.
SUSPICIOUS. The skill’s broad purpose mostly matches its local file writes and conversion workflow, but its core network/data path is unverifiable because the actual script is missing while it requests high-value X session credentials for a reverse-engineered API. The Bun execution path is a modest same-org supply-chain risk; the bigger issue is undisclosed credential use and unknown endpoints.
该技能的声明用途与其高层工作流基本一致,但关键风险在于把 API key、提示词和生成流程委托给未公开验证的本地 `tuzi-video-gen`。未见明确恶意或凭据窃取证据,但存在中高风险的供应链/信任链问题与不透明的数据流,因此应判定为 SUSPICIOUS。
Mostly coherent comic-generation skill with proportionate local file access, but medium risk due to unpinned `npx` execution and reliance on an unprovided sibling image-generation skill. No direct evidence of malware or credential theft in this excerpt, yet installer/execution trust and downstream data flow remain insufficiently verifiable.
SUSPICIOUS. The skill’s functionality aligns with image generation, but its default use of Tuzi as a third-party relay and its arbitrary base URL overrides create meaningful data-flow and credential-routing risk. The Bun execution path is official and not an unverifiable binary, so this is not malware, but it is a medium-risk skill due to proxy trust and endpoint override exposure.
SUSPICIOUS as a bundle router: the file itself is simple, but it delegates execution to many unreviewed subskills, including public-posting and 'danger' backend modules. Without the subskill SKILL.md files, the bundle's effective behavior and data flows cannot be verified, so risk is medium by transitive delegation rather than confirmed malware.
该技能的能力与声明用途基本一致:读取本地文章与配置,使用微信官方 API 或官方站点浏览器会话发稿,数据流向也与微信公众号发布场景匹配,未见明显第三方中转或凭据外传。主要风险在于它允许 AI 代理执行真实对外发布操作,并处理公众号凭据与登录会话,因此整体应视为高风险自动化发布工具,而非恶意技能。
SUSPICIOUS. The core capability matches video generation, but the main risk is data-flow integrity: prompts, reference media, and API credentials are routed through Tuzi’s relay/proxy endpoint instead of official model-provider APIs. Local credential-file reading and a custom base URL override increase exposure, while the unpinned `npx -y bun` runtime adds moderate supply-chain risk. This looks more like a third-party backend wrapper than a clean direct-provider integration.