Back to skill

Security audit

WeChat Article Scraper Pro

Security checks across malware telemetry and agentic risk

Overview

This skill looks like a paid demo of a WeChat scraper rather than the real scraper it advertises, and it exposes a payment API key.

Review carefully before installing or paying. Treat this as a demo/payment prototype unless the publisher removes and rotates the exposed API key, aligns pricing across documentation and code, clearly labels the mock behavior or implements real scraping, and documents where collected/exported data is stored and how to delete it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises network access and local file-writing behavior through its documented functionality and inferred capabilities, but it does not declare permissions or constraints. That creates a transparency and policy-enforcement gap: users and the platform cannot accurately assess or limit what the skill may do before invocation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior materially diverges from the analyzed implementation: payment handling, pricing, storage, output formats, and even the core scraping functionality do not match the stated purpose. This is dangerous because users may authorize a seemingly simple scraper while actually invoking a web app with payment redirects, session enforcement, local database storage, and misleading/mock data generation.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A hard-coded SkillPay API key is directly exposed in the public skill documentation, which can allow unauthorized third parties to abuse the payment integration, impersonate the skill, or incur fraudulent charges and service misuse. In this context, the secret is unrelated to the user-facing scraper documentation and should never be embedded in distributable markdown.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill advertises real batch scraping/export of WeChat historical articles, but the implementation only generates mock article metadata and placeholder content. This is a deceptive functionality mismatch that can cause users to pay for a capability that does not exist, which is especially concerning because payment is enforced before access to the feature.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The description promises Markdown/HTML export, but the route only implements Markdown and Excel export. This inconsistency is misleading product behavior and may induce users to pay for unsupported functionality.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The code comments and skill description say each invocation costs 0.001 USDT, but the billing charge request sends amount 0. This creates a billing integrity issue: users and operators cannot rely on the stated pricing, and the code may bypass intended charging or misrepresent how fees are applied.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The skill description is broad and lacks precise trigger conditions, scope limits, or invocation constraints. That can cause the agent platform to match and invoke the skill too aggressively, increasing the chance of unintended network scraping, downloads, storage, or payment-related execution in contexts the user did not clearly request.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation describes bulk scraping, image downloading, and local storage without warning about data volume, copyright/compliance concerns, disk usage, or network impact. In practice, that omission can lead users to trigger large-scale collection and persistence operations without understanding the operational and legal consequences.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.