100Critical
This skill allows arbitrary code execution, file exfiltration,
Behavior Analysis
Mismatch detected — The skill's actual behavior significantly expands beyond 'using the Wiki API' to 'create, update, and manage wiki pages'. It includes extensive functionality for generating content, specifically orchestrating browser automation (Playwright) to take screenshots and interacting with a local development environment (`sail artisan`) to prepare demo data, which goes beyond simple API interaction.
Claims to do
KibiConnect Wiki Documentation: Create, update, and manage wiki pages on the Weslink KibiConnect platform using the Wiki API.
Actually does
This skill generates Python code to interact with the Weslink KibiConnect Wiki API. It reads an API key from `~/.claude/projects/*/memory/weslink-wiki-api.md`, constructs HTTP requests using `urllib.request` to `https://weslink.kibi.de/api/v1/wiki` for page creation/updates and `https://weslink.kibi.de/api/v1/media/upload` for image uploads, always including a specific User-Agent. It also provides detailed instructions and helper functions for taking screenshots using Playwright browser automation (`browser_take_screenshot`) and preparing demo data via `sail artisan` commands, then uploading these local image files.
Skill Info
Nameweslinkde/weslink-claude-marketplace/wiki
Registrygithub
Versionbcded21cfab7
PURLpkg:github/weslinkde/weslink-claude-marketplace@bcded21cfab7?skill=wiki
Source
SHA-2564d21c7691ec7...
SHA-1c567c55f3c2b...
MD516258c4ba613...
TLSH3d52d631a814...
ssdeep384:x2t7WPMJ...
Size14,454 bytes
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
Assessments (4)
AI Agent Traps ↗Data Exfiltration via Arbitrary File Uploadcriticaldata exfiltration
The `upload_image` Python helper function reads content from an arbitrary `file_path` and sends it to an external API endpoint with the API key, enabling exfiltration of any file readable by the agent if the `file_path` argument can be controlled by an attacker.
100% confidenceline 148
with open(file_path, "rb") as f: file_data = f.read() ... urllib.request.Request(f"{BASE_URL}/media/upload", data=body, headers={"Authorization": f"Bearer {API_KEY}", ...})Command Execution via Shell Commandshighcommand execution
The skill explicitly instructs the agent to execute a shell command (`./vendor/bin/sail artisan kibi:setup --demo`), demonstrating the agent's capability to run arbitrary commands which could be exploited for malicious purposes.
100% confidenceline 245
Use `./vendor/bin/sail artisan kibi:setup --demo` for base data
Dynamic Python Code Generation and Executionhighcommand execution
The skill instructs the agent to generate and write a Python helper module to `/tmp/wiki_helpers.py` and implicitly execute it. This pattern allows for arbitrary code injection and execution if the agent can be prompted to modify the Python code before writing.
100% confidenceline 29
For creating wiki content, generate a Python helper module in `/tmp/wiki_helpers.py`. This is the recommended approach...
Sensitive Data Capture via Screenshotsmediumdata exfiltration
The instruction to use `browser_take_screenshot` could lead to the capture of sensitive information if the agent is manipulated into navigating to a confidential page or fails to dismiss overlays, potentially leading to data exfiltration.
100% confidenceline 262
Use browser_take_screenshot with appropriate viewport
External API Interaction with Credential Usemediumcredential theft
The skill uses `urllib.request` to interact with an external API, including an API key in the `Authorization` header. This makes the API key vulnerable to exposure if the agent is tricked into logging requests or sending it to an attacker-controlled endpoint (SSRF).
100% confidenceline 148
req = urllib.request.Request(f"{BASE_URL}/wiki", data=data, headers={"Authorization": f"Bearer {API_KEY}", ...})API Key Read from Filesystem (Credential Harvesting)highcredential harvesting
The skill instructs the agent to read API credentials from the user's Claude memory directory using a glob path. This enables the skill to exfiltrate credentials stored in sensitive local directories without explicit user consent for each access.
85% confidenceline 13
The API key is stored in the user's Claude memory directory. Read it from: ``` ~/.claude/projects/*/memory/weslink-wiki-api.md ```
Credential Written to World-Accessible /tmp Filehighcredential theft
The workflow instructs the agent to write an API key into a Python file in /tmp, which is world-readable on most Unix systems. Any local process or user can read /tmp/wiki_helpers.py and extract the API key. The file persists across sessions until explicitly cleaned up.
90% confidenceline 200
2. **Write helper module** to `/tmp/wiki_helpers.py` with the API key filled in
Hardcoded Placeholder API Key in Generated Codemediumhardcoded secrets
The skill template includes a hardcoded placeholder API_KEY string in the Python helper module. When the agent fills in the real key and writes to disk, this creates a persistent secret-bearing file in /tmp that is not automatically cleaned up.
75% confidenceline 35
API_KEY = "your-api-key-here"
Undeclared Filesystem Write to /tmp (Tool Poisoning)mediumtool poisoning
The skill instructs the agent to create and write executable Python code to /tmp/wiki_helpers.py as a side effect of normal wiki operations. This is an undeclared persistent artifact that modifies the filesystem and can be used or modified by other processes.
80% confidenceline 29
For creating wiki content, generate a Python helper module in `/tmp/wiki_helpers.py`. This is the recommended approach for creating TipTap JSON content
Hardcoded Internal Page ID and Organizational Structurelowreconnaissance
The skill embeds a specific internal page ID and organizational structure details. This constitutes encoded reconnaissance data about the internal wiki structure that could be used to target specific resources.
50% confidenceline 195
These are nested under the parent page "Kunden Handbucher" (ID: `01hwq76hz1hrwf3z4wmj77mfh2`).
Strong Directives for Agent Behaviorinfooversight evasion
The skill employs strong, imperative language ("MUST include", "Always use", "NEVER use") to guide the agent's actions, which, while intended for correct functionality, could be used to enforce specific behaviors or prevent agent deviations.
100% confidenceline 21
All API requests MUST include a browser-like User-Agent header.
Description Mismatchmediumdescription mismatch
The skill's actual behavior significantly expands beyond 'using the Wiki API' to 'create, update, and manage wiki pages'. It includes extensive functionality for generating content, specifically orchestrating browser automation (Playwright) to take screenshots and interacting with a local development environment (`sail artisan`) to prepare demo data, which goes beyond simple API interaction.
85% confidence
The skill details steps for 'Prepare Demo Data' using `./vendor/bin/sail artisan kibi:setup --demo`, 'Take Screenshots with Playwright' using `browser_take_screenshot`, and 'Upload Images via API' from local files, which are not direct Wiki API operations but rather content generation and preparation steps.
Cloudflare Bypass via Spoofed User-Agent Headermediumoversight evasion
The skill mandates use of a browser-spoofing User-Agent string to bypass Cloudflare bot protection. This instructs the agent to impersonate a browser to circumvent security controls, which may violate the target platform's terms of service and conceals the agent's true identity.
80% confidenceline 21
**All API requests MUST include a browser-like User-Agent header.** Without it, Cloudflare returns a 403 error (Error 1010). Always use: ``` User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 ```
Autonomous Code Generation and Execution Without Confirmationmediumautonomy abuse
The workflow pattern instructs the agent to autonomously generate Python code, write it to disk, and execute API calls without requiring user confirmation at each step. The 4-step workflow is presented as a linear automated sequence, reducing human oversight opportunities.
70% confidenceline 205
## Workflow 1. **Read API key** from memory directory 2. **Write helper module** to `/tmp/wiki_helpers.py` with the API key filled in 3. **Build content** using the helper functions 4. **Create/update pages** via the API functions
Potential RAG Poisoning via Reference Fileslowrag poisoning
The skill mentions loading reference files (`tiptap-nodes.json`, `api-endpoints.json`). If these files are not secured, an attacker could manipulate them to poison the agent's understanding of API schemas or content structures.
100% confidence
load files from `references/`: - `references/tiptap-nodes.json` - `references/api-endpoints.json`
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/weslinkde/weslink-claude-marketplace/wiki)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/weslinkde/weslink-claude-marketplace/wiki"><img src="https://mondoo.com/ai-agent-security/api/badge/github/weslinkde/weslink-claude-marketplace/wiki.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/weslinkde/weslink-claude-marketplace/wiki.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow