Back to skill

Security audit

Wechat Auto Post

Security checks across malware telemetry and agentic risk

Overview

This is a simple WeChat article drafting skill; despite broad wording about posting, it contains no code or mechanism to publish, persist, or access accounts.

Use this as a drafting aid, not as an autopublisher. Review generated text for accuracy, originality, platform compliance, sensitive content, and tone before manually posting it to any public account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger conditions are broad enough to match ordinary requests like creating social media content, which can cause the skill to activate unexpectedly. In an agent environment, unintended invocation can lead to the wrong workflow being applied, including generation of externally intended content without clear user consent or context boundaries.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Describing the skill as capable of 'automatic publishing' without clear warning, consent language, or safety controls obscures that the output may be sent to a public external channel. This increases the risk of accidental publication, reputational harm, and unauthorized outward communication if later connected to real posting automation.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.