Security audit

wechat-comic-factory

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its WeChat comic-publishing purpose, but ordinary generation commands can upload content and create WeChat draft-box entries without a separate publish confirmation.

Install only if you are comfortable giving the skill model API keys and WeChat Official Account app credentials. Treat generation as potentially publishing to the WeChat draft box unless you use --skip_publish or modify the workflow to require explicit confirmation before uploads and draft creation. Keep config.json, output, logs, publish_result.json, and cached WeChat tokens private.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill invokes local Python scripts that read configuration files, write task/output state, and make outbound network calls to model providers and WeChat, yet the skill declares no permissions. This under-disclosure is dangerous because users and policy layers cannot accurately assess or constrain what data the skill can access or transmit.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The stated behavior is narrower than the actual operational scope: beyond simple 'generate and publish' behavior, the skill uses external LLM/image APIs, downloads remote assets, uploads content to WeChat, reads credentials, and persists tokens/state locally. This mismatch can mislead users into authorizing a workflow with significantly broader data exposure and side effects than described.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README documents commands that can publish generated content to the WeChat Official Account draft box, but it does not clearly foreground that this is an external network action that uploads article content and images to a third-party platform. In an agent skill context, that omission increases the chance of unintended publication behavior or user surprise, especially because the skill is positioned as a strict execution tool and uses terms like '直接发布'.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill encourages publishing generated material to the WeChat Official Account draft box without an explicit warning that content and related metadata will be transmitted to external services. In this context, prompts, generated articles/images, and account credentials may flow to third-party model vendors and WeChat, creating privacy and data-handling risk if the user is not clearly informed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal