bozo-wechat-publisher

Security checks across malware telemetry and agentic risk

Overview

The skill appears to publish Markdown to WeChat as advertised, but it needs review because it uses WeChat credentials, uploads local content, and includes under-scoped install and credential-loading behavior.

Install only if you are comfortable giving the skill WeChat Official Account API credentials and having selected Markdown content, metadata, and images uploaded to WeChat services. Prefer setting credentials explicitly for each run or via a dedicated secret manager, avoid storing AppSecret in shell startup files or TOOLS.md, inspect commands before running them, and install Node/wenyan-cli manually from trusted sources instead of relying on automatic global installs or curl-to-sudo-bash setup steps.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults

Findings (23)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script installs a global npm package at runtime if `wenyan` is missing, which expands its capabilities from publishing content to modifying the host system and fetching code from the package registry. In an agent/skill context, silent package installation creates supply-chain and environment-tampering risk because it executes unpinned third-party code without explicit user approval.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script reads `WECHAT_APP_ID` and `WECHAT_APP_SECRET` from `$HOME/.openclaw/workspace/TOOLS.md`, pulling sensitive credentials from a user workspace file outside the script's declared inputs. This is dangerous because it widens data access scope and can exfiltrate secrets to WeChat APIs without the user's explicit awareness at invocation time.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script auto-installs a global npm package at runtime (`npm install -g @wenyan-md/cli`), which modifies the host system and executes code fetched from the network without explicit user approval. In an agent skill context, this exceeds the minimum capability needed for publishing and creates supply-chain and environment-tampering risk if the package or registry path is compromised.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script reads `WECHAT_APP_ID` and `WECHAT_APP_SECRET` from `$HOME/.openclaw/workspace/TOOLS.md`, a broad local file outside the immediate publishing input. This introduces secret-harvesting behavior from a general workspace file, which is risky in an agent setting because the skill silently expands its data access scope beyond user-provided environment variables.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script silently falls back to reading WECHAT_APP_ID and WECHAT_APP_SECRET from a fixed local file under ~/.openclaw/workspace/TOOLS.md. This expands the trust boundary and may cause the skill to access credentials the user did not intend to expose to this script, especially in shared or agent-managed workspaces.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script automatically runs `npm install -g @wenyan-md/cli` when `wenyan` is missing, which expands its behavior from publishing content into installing and executing third-party code on the host. In an agent/automation context, silent package installation increases supply-chain risk and can violate least-privilege expectations, especially because global installs modify the environment outside the skill's immediate task.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script harvests WeChat credentials from `$HOME/.openclaw/workspace/TOOLS.md` by parsing a local file for exported secrets, which is ad hoc secret discovery beyond the stated publishing function. In an agent setting, scanning workspace files for credentials is dangerous because it normalizes secret scraping behavior and may access sensitive values the caller did not explicitly provide for this execution.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The guide instructs users to persist long-lived WeChat AppID/AppSecret values in shell startup files and later print them to the terminal for verification. This increases the chance of credential exposure through shared accounts, shell history, screen recording, shoulder surfing, backups, or accidental disclosure, even though it is presented as setup guidance rather than overtly malicious behavior.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly says Markdown content and images will be published to the WeChat draft box and uploaded to WeChat-hosted services, but it does not clearly warn users that article text, metadata, and image data leave the local machine and are transmitted to a third party. In a publishing skill this data flow is expected, but the lack of an explicit disclosure can still mislead users into sending sensitive or proprietary content externally.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The setup instructions tell users to append WECHAT_APP_ID and especially WECHAT_APP_SECRET directly into shell startup files such as ~/.zshrc, which stores credentials in persistent plaintext on disk. This increases the chance of credential exposure through backups, dotfile syncing, local compromise, screen sharing, or accidental disclosure when sharing configuration files.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger text is broad enough to match ordinary requests about WeChat, public accounts, drafts, or uploading articles, increasing the chance that the skill activates in contexts where the user did not intend external publication. In a publishing skill, accidental activation is risky because it can lead to content transmission, credential use, and side effects beyond simple formatting help.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The description does not prominently warn that using the skill uploads article text, images, and metadata to WeChat APIs and that the setup steps modify persistent shell startup files. Users may assume it is a local formatting helper when it actually performs external transmission and environment changes, which undermines informed consent.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation explicitly encourages automatic upload of local images and download/re-upload of remote images to WeChat, but does not warn users that doing so transmits content to external services and may expose private files, metadata, or copyrighted material. In a publishing skill, this omission is security-relevant because users may assume local paths and referenced URLs are handled only locally, when the feature actually causes outbound data transfer.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The setup instructions tell users to export WECHAT_APP_ID and WECHAT_APP_SECRET without any warning about secret handling, storage, shell history, logging, or accidental disclosure. While this is common operational guidance, omitting secret-safety instructions in a skill that publishes content to an external platform increases the chance that credentials are mishandled and later abused to access or publish to the user's WeChat account.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script accesses local WeChat credentials from `TOOLS.md` without a user-facing warning, which is a sensitive-data access transparency failure. In an agent skill, hidden secret discovery is especially risky because the user may believe only the provided markdown is being processed while the skill also reads unrelated workspace secrets.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script transmits article HTML, metadata, and cover images to external WeChat endpoints, but the help/description does not clearly warn users about outbound data transfer. This is dangerous in a skill ecosystem because users may not realize their local content and referenced files will be uploaded off-host.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Automatically installing a global package without clear advance disclosure or opt-in is unsafe because it performs privileged system modification and network retrieval as a side effect of a publishing command. Users invoking a content-publishing skill would not reasonably expect global software installation, making this a meaningful security and trust-boundary violation.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script silently reads WeChat credentials from a local file and then uses them in outbound API requests, without clear up-front notice in the help text that local secret files will be inspected. This is dangerous because it normalizes undisclosed secret discovery and transmission behavior in an automation skill, increasing the chance of unintended credential use.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Reading credentials from a local TOOLS.md file without an explicit warning or consent is a sensitive-data access issue. In an agent skill context, this is more dangerous because users may not realize the skill is scanning a workspace file for secrets and then using them for outbound API calls.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script reads sensitive WeChat credentials from a markdown file without strong handling boundaries, validation, or any warning that secrets are being sourced from local content. This increases the risk of accidental exposure, misuse, or overbroad secret access, particularly in shared workspaces or automated agent environments where local files may contain unrelated credentials.

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: cp -r bozo-wechat-publisher ~/.claude/skills/ # 2. 安装 Node.js 18 curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash - sudo apt-get install -y nodejs # 3. 安装 wenyan-cli
Confidence: 95% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: cp -r bozo-wechat-publisher ~/.claude/skills/ # 2. 安装 Node.js 18 curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash - sudo apt-get install -y nodejs # 3. 安装 wenyan-cli
Confidence: 95% confidence
Finding: sudo -E

Chaining Abuse

High

Category: Tool Misuse
Content: cp -r bozo-wechat-publisher ~/.claude/skills/ # 2. 安装 Node.js 18 curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash - sudo apt-get install -y nodejs # 3. 安装 wenyan-cli
Confidence: 97% confidence
Finding: | sudo

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal