Back to skill

Security audit

Wechat Publisher

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: publish a chosen Markdown article and images to WeChat drafts, while using WeChat credentials and a global CLI dependency.

Install only if you intend to send the selected Markdown content and referenced images to WeChat. Review the article and image paths first, keep WECHAT_APP_SECRET out of git and shared logs, prefer secure environment injection over plaintext TOOLS.md when possible, and install or verify @wenyan-md/cli yourself if you do not want the script to perform a global npm install.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs use of a separate local file containing API credentials, creating a natural-language path for an agent to seek out and expose secrets unrelated to the immediate Markdown content. In an agent setting, documentation that points to secret-bearing files materially increases the chance of credential disclosure or unauthorized use during task execution.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script modifies the host by globally installing an npm package when `wenyan` is missing, which exceeds the narrowly expected behavior of publishing a Markdown file. This creates supply-chain and environment-integrity risk because execution depends on fetching and installing code from the network at runtime, without pinning a version, verifying provenance, or obtaining explicit user consent.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script pulls WeChat credentials from a fixed global workspace file under $HOME rather than from a task-scoped secret source. This broadens secret exposure and creates an implicit trust boundary: any process, repository, or user workflow that can influence TOOLS.md may cause the skill to ingest unintended credentials, increasing the chance of secret misuse or accidental cross-project leakage.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes one-click publishing and automatic image upload to WeChat, but does not clearly warn users that article text, metadata, local images, and remote image references may be transmitted to external WeChat services. In an agent skill context, this increases the risk of users publishing sensitive or private content without informed consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The credential setup instructions tell users to place AppID and AppSecret into configuration without clearly emphasizing that these are sensitive secrets that must not be committed, logged, or shared. In a skill ecosystem where files may be inspected or reused by agents, weak secret-handling guidance can lead to credential exposure and unauthorized access to the connected WeChat account.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation phrase is broad enough to match ordinary conversation about publishing an article, which can cause accidental activation of the skill. In a skill that performs external publication, unintended triggering can lead to unreviewed uploads, draft creation, or processing of user files without sufficiently explicit consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises automatic image upload for local and remote images but does not place a clear warning at the point of use that user content will be transmitted to an external service. This can cause users to unknowingly upload sensitive local files or private remote resources to WeChat infrastructure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation discusses credential setup and points to stored secrets without clearly warning about secret handling risks. This normalizes exposing or retrieving sensitive values in conversational workflows, increasing the risk that an agent will read, reveal, or misuse API credentials.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document promotes automatic image upload and one-click publishing to a public platform without warning users that local files and remote images may be transmitted to external services or that content may be published externally. In a publishing skill, this omission increases the chance of accidental data disclosure or unintended publication, especially for users testing with real content or sensitive images.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The example instructs users to configure credentials but provides no warning about secret handling, storage, or leakage risks. In practice, users may place tokens or account secrets in insecure files, commit them to version control, or expose them in logs while setting up the publishing workflow.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide tells users to place WECHAT_APP_ID and WECHAT_APP_SECRET directly into shell commands and persistent shell startup files, but does not warn that these are sensitive credentials. This increases the chance of accidental exposure through shell history, shared dotfiles, screenshots, backups, or commits, which could allow unauthorized use of the WeChat publishing integration.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script performs `npm install -g @wenyan-md/cli` automatically and without any confirmation prompt or warning, so a normal publish action can unexpectedly trigger privileged system changes and network retrieval of executable code. In a security-sensitive agent skill, this is dangerous because users may not realize the skill has package-management capability, and a compromised or unexpected dependency could execute during install.

Ssd 3

Medium
Confidence
97% confidence
Finding
By directing the agent to retrieve API credentials from a local TOOLS.md file, the skill creates an explicit prompt path to access sensitive data from disk. In agentic environments, this is especially dangerous because it turns secret discovery and possible disclosure into part of the documented workflow.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.