微信文章抓取器 - 安全版

Security checks across malware telemetry and agentic risk

Overview

This is a local WeChat article fetcher whose browser use, network fetching, and file output match its stated purpose, with a privacy wording caveat.

Install only if you are comfortable running a local Node/Puppeteer browser tool that contacts WeChat article and image servers and saves extracted content locally. Use known article URLs, avoid sensitive browsing contexts, and consider pinning dependencies or using a lockfile for reproducible installs.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The README states '本地运行，数据不外传' ('runs locally, data is not sent externally'), but the documented usage explicitly fetches remote WeChat article URLs, which necessarily causes outbound network requests and may expose user IP, headers, cookies/session state in the browser context, or fetched content to third parties. This is dangerous because users may rely on the privacy claim when handling sensitive URLs or running the tool in restricted environments, leading to trust and compliance issues even if the code is not overtly exfiltrating data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal