Doc Publisher

Security checks across malware telemetry and agentic risk

Overview

This skill is a real WeChat document-publishing tool, but it includes unguarded draft-deletion scripts and unsafe credential handling that users should review before installing.

Install only if you are comfortable giving this skill WeChat official-account API credentials and manually reviewing every script before running it. Avoid the draft-clearing scripts unless you intentionally want to delete drafts, rotate any credential values copied from the examples, keep .env private and out of version control, and use a test WeChat account where possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (20)

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: This code performs authenticated remote deletion of WeChat drafts, which is a destructive action with no confirmation, scoping, or dry-run protection. In an agent skill context with no manifest or explicit user-consent boundary, this is dangerous because running the script can irreversibly remove content from a live external account.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: After remote deletions, the script unconditionally overwrites the local publish-record file and clears article state. This can destroy operational history and make recovery or auditing harder, especially if deletions partially failed or the record file was broader than the deleted set.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The script behavior does not match its top-level description: it not only uploads an image, but also rewrites the local .env file. This hidden side effect increases operational risk because users may run it expecting a read/upload-only action and unintentionally alter configuration used by other tooling or deployments.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The configuration example includes realistic-looking WeChat APPID and SECRET values in plaintext while presenting them as user-fill placeholders. Even if they are sample values, publishing credential-like secrets in documentation trains users to expose secrets in chat and files, and may leak real credentials if copied from a live environment.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script reads a local document, converts it to HTML, and immediately submits the full content to the WeChat API without any interactive confirmation, dry-run mode, or explicit safeguard before external transmission. In a publishing example this may be intentional, but it still creates a real risk of accidental disclosure of sensitive or unpublished material if the wrong file is targeted or the script is run in the wrong environment.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README explicitly markets publishing local Markdown documents to a WeChat public account, which means local content is sent to an external third-party platform. While this appears to be the tool's intended purpose, the documentation does not prominently warn users about the data transfer, privacy implications, or risk of accidentally uploading sensitive local files.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The .env example shows realistic credential-like values without clearly labeling them as placeholders. Users may mistakenly reuse them, assume they are safe defaults, or commit them to version control, increasing the chance of credential exposure or operational confusion.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The script unconditionally deletes all existing drafts as soon as it runs, with no confirmation, dry-run mode, scope restriction, or backup. In an automation or agent context, this makes accidental destructive data loss very likely, especially if triggered against the wrong account or environment.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script carries out irreversible remote deletion and then clears the local tracking file without any interactive confirmation or prominent safeguard. In practice, accidental execution, wrong environment selection, or stale publish records could cause unrecoverable content and bookkeeping loss.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The script writes directly back to the original markdown path, replacing the file contents without confirmation, backup, atomic write, or validation. In an agent/automation context this can cause irreversible data loss or silent corruption of documentation if the script is triggered on the wrong file or with malformed generated content.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script contains hardcoded WeChat APPID and SECRET and immediately uses them to obtain an access token and upload a local file to a remote service. Embedding live credentials in source code and performing network transmission without an explicit approval step creates both secret-exposure risk and unauthorized data transmission risk if the script is run unintentionally or the repository is shared.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script automatically rewrites the local .env file after a successful upload, with no prior warning beyond status messages and no confirmation from the user. Silent configuration mutation can break environments, overwrite intended values, or introduce persistence of external IDs in sensitive config files that may later be committed or deployed.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: Marking the skill as user-invocable with a broad natural-language publishing purpose increases the chance that ordinary chat requests will trigger sensitive actions unexpectedly. Because the skill can publish local content to an external WeChat service, ambiguous activation raises the risk of unintentional data transmission.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The recommended trigger phrase '发布 D:\你的文档目录下的文档到公众号' is broad and resembles a normal user request rather than a clearly bounded tool command. In this context, that ambiguity is risky because it may cause the assistant to publish local documents externally without sufficiently explicit consent.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill description emphasizes convenience but does not clearly warn that using the tool sends local Markdown content and configured WeChat credentials or tokens to external WeChat services. Users may therefore invoke it without understanding the data transfer and privacy implications.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documentation instructs users to handle a .env containing sensitive credentials but does not warn them to protect the file, avoid sharing it, or keep it out of source control. This omission increases the likelihood of accidental secret disclosure during setup or troubleshooting.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The documented activation phrase is a natural-language request ('发布 D:\你的文档目录下的文档到公众号') that closely resembles an ordinary user instruction, which increases the chance of accidental or ambiguous skill invocation. In a publishing skill that can write files and initiate publication workflows, this broad trigger can cause unintended execution on user-provided paths or surprise side effects when the user was only discussing publishing rather than authorizing it.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill describes generating preview HTML files and writing a publication record JSON under the target document directory, but it does not prominently warn users about these filesystem side effects before use. This can lead to unexpected file creation, metadata leakage (e.g., draft IDs, file paths, timestamps), or modification of directories the user did not intend to change.

Ssd 3

High

Confidence: 94% confidence
Finding: The README includes what appears to be a real WeChat app configuration and secret in plaintext example values. If these values are genuine, they expose credentials that could allow unauthorized access to the associated WeChat account or API resources.

Ssd 3

High

Confidence: 99% confidence
Finding: The plaintext .env example shows real-looking secret values and normalizes the practice of embedding secrets directly in documentation and natural-language setup steps. This can lead users to reveal credentials in screenshots, chats, copied examples, or checked-in files, enabling account compromise.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal