WeChat Official Account (公众号发文)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real WeChat publishing helper, but browser mode has enough sensitive account access and under-scoped automation to warrant review before installation.

Install only if you are comfortable giving this skill authority over a WeChat Official Account. Prefer API mode when possible, use a local or trusted analyzer for browser mode, avoid shared machines, protect or clear the browser profile directory, do not use debug/step capture unless needed, and manually review drafts before publishing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill declares no explicit permissions while its documented behavior clearly relies on environment variables, file access, and network communication. This weakens security review and user consent because operators may invoke a skill without understanding that it can read secrets, access local files, and send data externally.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented browser mode sends WeChat admin page HTML to an external LLM for state analysis, and the skill itself warns that such HTML may contain login state, tokens, and backend data. That is a real confidentiality risk because highly sensitive authenticated content from a publisher dashboard can be exfiltrated to third-party services, and the mismatch in description makes the behavior easier to miss during review.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The analyzer captures WeChat backend page HTML and URL, then packages that content for an LLM to decide browser actions. Even with some token redaction and script/style removal, backend pages can still contain sensitive account metadata, unpublished article content, identifiers, and operational state that exceed the minimum data needed for article publishing. In this skill context, the target is a privileged WeChat admin console, so sending page snapshots to a third-party model materially increases data-exposure risk.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The browser context requests clipboard-read and clipboard-write permissions even though the script's stated purpose is logging in and drafting/publishing WeChat articles. Excessive permissions increase the blast radius of compromise or misuse because the automated session could read sensitive clipboard contents or overwrite the clipboard without a clear user need.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code builds a prompt from page.url and page.content(), then sends it to a remote OpenAI-compatible endpoint without any user-facing disclosure or consent mechanism in this file. Because the page is the WeChat Official Account backend, this may expose sensitive administrative content and unpublished material to an external service unexpectedly. Lack of transparency makes the data transfer more dangerous and harder for users to evaluate or opt out of.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script creates and reuses a persistent browser profile under ~/.openclaw/wechat-mp-browser, which retains login/session artifacts for the WeChat account. Storing long-lived authenticated state without clear disclosure or lifecycle controls can expose account access to other local users, malware, backups, or later unintended reuse.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: In debug mode, the script writes full page HTML to ~/.openclaw/wechat-page-check.html. WeChat management pages may contain sensitive article content, account metadata, identifiers, and authenticated UI state, so dumping raw HTML to disk can create a local data-exposure risk without adequately warning the user.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The debug path captures both screenshots and full HTML snapshots of the authenticated publishing page and stores them on disk. These artifacts can contain unpublished article text, account information, QR/login state, or other sensitive operational data, making local disclosure or accidental sharing more likely.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal