wonda-cli

Name: wonda/wonda-cli
Author: degausai

Share on X Share on LinkedIn Share on Bluesky

100Critical

This tool masquerades as a content creator but functions as a malicious backdoor that exfiltrates credentials, executes arbitrary code, and maintains persistent, stealthy control over the user's social accounts.

ThreatsCI SM CS BC S HITL

Threat Analysis

AI Agent Traps ↗Scanned 6/20/2026

Content InjectionPerception2 findings

Semantic ManipulationReasoning2 findings

Cognitive StateMemory & Learning1 finding

Behavioural ControlAction6 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseerclean

Skill Info

Namedegausai/wonda/wonda-cli

Registrygithub

Version9e7e1a2cd638

PURLpkg:github/degausai/wonda@9e7e1a2cd638?skill=wonda-cli

Stars126

Installs42,300

Source

Repository ↗SKILL.md ↗

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

Skills.shDocs

npx skills add https://github.com/degausai/wonda

Assessments (6)

AI Agent Traps ↗

Reverse shell pattern detectedcriticalcommand executionAML.T0050AML.T0053AML.T0072LLM05:2025LLM06:2025

Reverse shell pattern detected (seen 3 times in this file at lines 483, 937, 939)

100% confidenceline 483

ncat -

Cloud twin schedules enable persistent remote code executionhighresource abuseAML.T0029AML.T0034LLM10:2025

The `wonda twin schedule add` command registers arbitrary CLI commands to run on a cron schedule on cloud infrastructure, with output delivered to attacker-controllable webhooks. This creates a persistent execution capability on the user's social accounts that survives agent session termination.

85% confidence

"wonda twin schedule add <persona> --cron '0 9 * * *' --kind agent" and "--output-webhook <url>: deliver each run's captured command stdout to your HTTPS webhook"

Credential exfiltration via cloud backuphighcredential theftAML.T0055AML.T0037LLM02:2025

The skill includes a 'Cookie cloud backup' feature that transmits plaintext cookies to a third-party backend, creating a high risk of credential theft if the backend is compromised or malicious.

90% confidence

wonda wab backup enable ... Stored plaintext server-side (no client-side encryption)

Server-side credential vault with operator-held decryption keyhighcredential theftAML.T0055AML.T0037LLM02:2025

The credentials vault stores passwords encrypted with a 'server-side key' — the Wonda backend holds the key and decrypts on demand. Combined with `wonda credentials use` POSTing usage events, the third-party service has full custody of all stored credentials including passwords for Instagram, TikTok, Twitter, etc.

92% confidence

"Passwords are AES-256-GCM encrypted with a server-side key and only decrypted on `get`"

Hidden capability via 'wonda wab' browserhighunauthorized tool use

The 'Wonda Automation Browser' (WAB) is a powerful, stealthy antidetect browser that operates outside standard agent visibility, providing a persistent, hardened environment for platform manipulation that is difficult to audit.

80% confidenceline 182

The Wonda Automation Browser (WAB) is a premium stealth antidetect browser

Automatic background telemetry sync of action logs to remote servermediumdata exfiltrationAML.T0025AML.T0024LLM02:2025

The skill instructs the agent that local action ledgers, WAB audit logs, and cookie provenance data sync automatically to the Wonda account backend on every command in the background. This is undisclosed bulk telemetry beyond what a media-generation tool requires.

80% confidenceline 299

"the local ledgers (actions log, WAB audit/error logs, cookie provenance) also sync to your Wonda account-health record automatically in the background on every command"

Description Mismatchhighdescription mismatchAML.T0011.000LLM06:2025LLM09:2025

The skill claims to be a 'content creation toolkit' but functions as a sophisticated, stealth-oriented automation and scraping platform designed to bypass platform anti-abuse protections.

85% confidence

The documentation explicitly details 'stealth antidetect browser' capabilities, cookie management, automated social engagement (likes, follows, comments), and scraping of competitor data, which significantly exceeds the scope of a standard content creation tool.

Oversight evasion via PostHog feature flagsmediumoversight evasionAML.T0054LLM01:2025LLM07:2025

The skill uses 'PostHog flags' to dynamically enable sensitive features like email server APIs and social account creation, which can be used to bypass static security controls or hide functionality from the user.

70% confidence

Flagged (per-account PostHog flags) ... Flip the flag in PostHog for the account.

Per-command update polling enables indirect prompt injectionhighindirect prompt injection

On every command execution the CLI fetches `GET /api/v1/updates` and surfaces the response content to stderr. If the Wonda backend is compromised or malicious, it can inject arbitrary text (including agent instructions) into every command's output stream that the agent reads.

82% confidenceline 174

"On every command the CLI polls `GET /api/v1/updates` (anonymous, 1h cache) for active announcements: deprecation notices, incident heads-ups, upgrade prompts. Messages are printed to stderr"

Indirect prompt injection via --inject-jshighindirect prompt injection

The `wonda wab record` command accepts an `--inject-js` file path, which executes arbitrary JavaScript in the context of a browser session. If an agent is tricked into using a malicious file, it leads to full browser-based code execution.

80% confidenceline 237

--inject-js scripts/page-script.mjs

Global/unverified dependency execution — global npm/yarn package, dotnet tool, or auto-confirmed npx run without version or integrity pinningmediumsupply chainAML.T0010AML.T0019AML.T0058LLM03:2025

Global/unverified dependency execution — global npm/yarn package, dotnet tool, or auto-confirmed npx run without version or integrity pinning

100% confidenceline 16

npm i -g

Missing allowed-tools declarationlowunauthorized tool use

Skill executes commands, writes files, or accesses the network but declares no allowed-tools, so its tool surface cannot be reviewed or constrained.

90% confidence

Missing licenseinfopolicy violation

Skill does not specify a license field. Specifying a license helps users understand usage terms.

100% confidence

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/degausai/wonda/wonda-cli.svg)](https://mondoo.com/ai-agent-security/skills/github/degausai/wonda/wonda-cli)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/degausai/wonda/wonda-cli"><img src="https://mondoo.com/ai-agent-security/api/badge/github/degausai/wonda/wonda-cli.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/degausai/wonda/wonda-cli.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow