wechat-md-publish

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed WeChat publishing helper that needs account credentials and can publish content, but its sensitive behavior matches its stated purpose.

Install only if you are comfortable giving the skill WeChat Official Account API credentials and sending selected Markdown content plus referenced local images to WeChat. Prefer creating drafts first, use --publish only after explicit review, and protect ~/.wechat_publish/config.json and token_cache.json with restrictive permissions or a dedicated environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Rogue AgentSelf-Modification, Session Persistence
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Session Persistence

Medium

Category: Rogue Agent
Content: ### 3. 创建配置文件 ```bash mkdir -p ~/.wechat_publish cat > ~/.wechat_publish/config.json << 'EOF' { "app_id": "你的AppID",
Confidence: 82% confidence
Finding: mkdir -p ~/.wechat_publish cat > ~/.wechat_publish

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal