WeChat Channel Live Replay

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its stated WeChat replay download purpose, but it needs review because it uses a TikHub token and writes files using unsanitized user-provided names.

Review before installing. Use a limited TikHub token, install ffmpeg and Python packages only from trusted sources, and avoid channel names or dates containing slashes, '..', or path-like text until the output path handling is fixed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill sends user-supplied search keywords and related query data to the third-party TikHub API, but the description does not clearly warn about this external transmission. In this context, users may enter sensitive account names, business targets, or monitoring subjects, so the lack of disclosure creates privacy and data-handling risk and prevents informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal