Wechat Automation

Security checks across malware telemetry and agentic risk

Overview

This skill openly automates a live WeChat account, but it can read private chats and contacts and send messages at scale without enough built-in safeguards.

Install only if you are comfortable letting the agent operate your live WeChat session. Require manual confirmation for every send, bulk send, file transfer, contact listing, auto-reply, Moments action, and chat-history read; inspect any generated .bat file before running it; avoid promotional or spam-like use; and keep chat/contact output out of shared logs or terminals.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly advertises capabilities to read chat history, enumerate contacts, and send bulk messages, but it does not warn users about privacy exposure, consent requirements, or the possibility of sending actions against the wrong target through desktop automation. In an agent skill that may be invoked by natural-language requests, missing these guardrails increases the chance of unauthorized data access, mass messaging abuse, and accidental disclosure.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Advertising Moments scraping and auto-reply functionality without warnings is risky because these features can silently collect personal content and trigger unintended automated interactions on a real user account. Given the Windows UI automation context, mistakes or misuse can affect live contacts at scale and may also create platform-policy or account-suspension risk.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The activation scope is broad enough to trigger on many ordinary WeChat-related requests, including ones involving sensitive messaging, contact access, and chat retrieval. Overbroad activation increases the chance the skill runs in contexts the user did not clearly intend, causing unintended automation or privacy-impacting actions.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill advertises reading chat history and retrieving contacts, both of which involve highly sensitive personal data, without a clear privacy warning or consent model. Because the tool operates against a live desktop WeChat session, misuse could expose message contents, contact lists, and relationship metadata from the user's account.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Bulk messaging and auto-reply can perform large-scale outbound actions from the user's account, potentially causing spam, reputational harm, account restrictions, or unauthorized communications. The absence of warnings, rate limits, recipient review, and confirmation gates makes accidental or abusive automation materially more dangerous.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The generated .bat embeds unescaped user-controlled values directly into Windows command lines: python "...send_message.py" "{friend}" "{message}". On cmd.exe, special characters such as ", &, |, <, >, ^, and % can break quoting or trigger command expansion, allowing command injection when the user later double-clicks the batch file. In the context of a skill that accepts arbitrary contact names/messages and explicitly bridges out of the sandbox into the real desktop, this becomes significantly more dangerous.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script enumerates WeChat contacts and prints personally identifiable information such as names, remarks, WeChat IDs, source, and region directly to stdout with no confirmation, masking, access control, or privacy notice. In an agent skill context, this increases the chance of unintended disclosure through logs, terminal history, screenshots, or downstream tooling that captures command output.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The enterprise contact path exposes business relationship data by listing enterprise WeChat contacts and company names without any disclosure or approval step. Enterprise contact data can be especially sensitive because it may reveal employer affiliations, business networks, or internal relationship mapping beyond ordinary personal contacts.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This script retrieves and prints private WeChat chat history with no warning, consent check, or access-control barrier, which can expose sensitive personal or business communications to whoever runs it or views its output. In the context of a WeChat automation skill, this is more dangerous because the feature is directly designed to access messaging data at scale, increasing the risk of privacy violations, insider misuse, and accidental disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal