Back to skill

Security audit

wechat-skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a real WeChat desktop automation tool, but it can send messages through the active logged-in session without enforced recipient confirmation and stores chat screenshots locally.

Install only if you are comfortable letting an agent control your logged-in WeChat desktop app. Manually verify the active chat and message before any send, and delete generated screenshot files and clear the clipboard after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill is presented as a WeChat message-sending skill, but its documented behavior also includes taking screenshots of the WeChat window, writing image files to disk, and reading/writing the system clipboard. Those capabilities materially expand data exposure beyond simple message sending because screenshots may capture chat history or contact information and clipboard access can expose unrelated sensitive data. In a desktop automation skill, these actions may be functional, but failing to clearly declare them creates a transparency and privacy risk.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The exposed MCP interface only provides a tool that sends to the currently focused/open chat, while the skill is described as sending to a specified contact. That mismatch is security-relevant because GUI automation can easily target the wrong recipient if the active chat is different than the user expects, causing irreversible message disclosure to unintended parties.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill captures screenshots of WeChat windows and saves them to disk, which can include chat histories, contact names, search results, and message contents unrelated to the requested send operation. Persisting such images creates unnecessary local data exposure and turns a simple messaging action into collection of sensitive communications data.

Missing User Warnings

High
Confidence
97% confidence
Finding
The automation sends the message immediately via Enter and a button click fallback without any explicit confirmation or final validation of recipient and content. In a GUI-driven workflow, focus errors, stale windows, or mistaken chat selection can cause messages to be sent to the wrong person, and the action is not easily reversible.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code places message content onto the system clipboard without disclosure or isolation. Clipboard contents are globally accessible to other applications and may overwrite sensitive user data already there, creating privacy leakage and unintended side effects beyond the skill's stated purpose.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Writing screenshots of chat/search windows to disk without clear disclosure creates a persistent record of potentially sensitive communications metadata and content. Even if intended for verification, these files may remain on disk, be synced, backed up, or read by other local users/processes.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyautogui>=0.9.54
pygetwindow>=0.0.9
pytesseract>=0.3.13
Pillow>=12.1.0
Confidence
96% confidence
Finding
pyautogui>=0.9.54

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyautogui>=0.9.54
pygetwindow>=0.0.9
pytesseract>=0.3.13
Pillow>=12.1.0
pyperclip>=1.11.0
Confidence
96% confidence
Finding
pygetwindow>=0.0.9

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyautogui>=0.9.54
pygetwindow>=0.0.9
pytesseract>=0.3.13
Pillow>=12.1.0
pyperclip>=1.11.0
opencv-python>=4.13.0
Confidence
96% confidence
Finding
pytesseract>=0.3.13

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyautogui>=0.9.54
pygetwindow>=0.0.9
pytesseract>=0.3.13
Pillow>=12.1.0
pyperclip>=1.11.0
opencv-python>=4.13.0
Confidence
98% confidence
Finding
Pillow>=12.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pygetwindow>=0.0.9
pytesseract>=0.3.13
Pillow>=12.1.0
pyperclip>=1.11.0
opencv-python>=4.13.0
Confidence
95% confidence
Finding
pyperclip>=1.11.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pytesseract>=0.3.13
Pillow>=12.1.0
pyperclip>=1.11.0
opencv-python>=4.13.0
Confidence
98% confidence
Finding
opencv-python>=4.13.0

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
87% confidence
Finding
Pillow

Known Vulnerable Dependency: opencv-python — 10 advisory(ies): CVE-2017-12864 (Integer Overflow or Wraparound in OpenCV); CVE-2017-12598 (Out-of-bounds Read in OpenCV ); CVE-2019-14493 (NULL Pointer Dereference in OpenCV.) +7 more

High
Category
Supply Chain
Confidence
85% confidence
Finding
opencv-python

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.