微信公众号文章抓取（Alex版）

Security checks across malware telemetry and agentic risk

Overview

This skill is a small instruction-only WeChat article fetcher that uses a public third-party service, with the main risk being link privacy.

Install only if you are comfortable sending WeChat article links to down.mptext.top. Avoid using it with confidential, private, access-restricted, or tracking-sensitive URLs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to send user-supplied WeChat article URLs to a third-party public service (down.mptext.top) without any disclosure, consent, trust boundary explanation, or data-handling warning. Even if only the URL is sent, links can contain sensitive identifiers, private article references, tracking parameters, or reveal user reading interests, and the public endpoint becomes an unvetted external processor for user data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal