Security audit

微信公众号发布工具

Security checks across malware telemetry and agentic risk

Overview

This is a real WeChat publishing tool, but it needs review because it can affect a live public account and has under-disclosed browser automation and unsafe credential guidance.

Install only after code review and preferably test with a dedicated WeChat account first. Keep config.yaml out of version control, use environment variables or a secret store for keys, avoid publish.js unless you intend browser-based admin automation, and use draft mode until a human verifies the exact account, content, images, and audience before any live publish.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (30)

Tainted flow: 'img_url' from requests.get (line 825, network input) → requests.get (network output)

Medium

Category: Data Flow
Content: img_url = result["output"]["results"][0]["url"] logger.info(f"图片 URL: {img_url}") img_response = requests.get(img_url, timeout=30) img_response.raise_for_status() logger.info("通义万相图片生成成功") return img_response.content
Confidence: 93% confidence
Finding: img_response = requests.get(img_url, timeout=30)

Tainted flow: 'img_url' from requests.get (line 721, network input) → requests.get (network output)

Medium

Category: Data Flow
Content: img_url = result["data"]["img_urls"][0] # 下载图片 img_response = requests.get(img_url, timeout=30) img_response.raise_for_status() logger.info("文心一格图片生成成功") return img_response.content
Confidence: 93% confidence
Finding: img_response = requests.get(img_url, timeout=30)

Tainted flow: 'photo_url' from requests.get (line 926, network input) → requests.get (network output)

Medium

Category: Data Flow
Content: # 下载图片 logger.info(f"下载 Unsplash 图片：{photo_url}") img_response = requests.get(photo_url, timeout=30) img_response.raise_for_status() # 调整尺寸
Confidence: 88% confidence
Finding: img_response = requests.get(photo_url, timeout=30)

Tainted flow: 'img_url' from requests.get (line 724, network input) → requests.get (network output)

Medium

Category: Data Flow
Content: if img_url: logger.info(f"图片 URL: {img_url[:100]}...") img_response = requests.get(img_url, timeout=30) img_response.raise_for_status() # 如果需要缩放
Confidence: 94% confidence
Finding: img_response = requests.get(img_url, timeout=30)

Tainted flow: 'img_url' from requests.get (line 724, network input) → requests.get (network output)

Medium

Category: Data Flow
Content: if img_url: logger.info(f"图片 URL: {img_url[:100]}...") img_response = requests.get(img_url, timeout=30) img_response.raise_for_status() logger.info("阿里百炼图片生成成功") return img_response.content
Confidence: 93% confidence
Finding: img_response = requests.get(img_url, timeout=30)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill documentation declares a simple publishing tool, but the analyzer detected capabilities including environment access, file read/write, network, and shell without any explicit permissions declaration or user-facing scoping. In an agent setting, this increases the chance of over-privileged execution, unexpected side effects, and misuse of local credentials or files beyond what is necessary for article publishing.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: This is a strong true positive: the documented purpose is article publishing, but the detected behavior includes browser automation of the WeChat admin site, scanning project files for secrets, redacting logs, unrelated web scraping, and persistent usage accounting. Those extra behaviors materially expand the trust boundary and could expose secrets, alter unrelated files, or perform actions on the account outside the user's expected intent.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The script recursively scans a developer-local workspace for secrets across many file types, which gives the skill an unnecessary credential-discovery capability unrelated to publishing WeChat articles. In this context, broad filesystem inspection increases risk because a bundled skill should not need to enumerate and inspect local project files, especially files likely to contain credentials.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The module can send article text to an external LLM for keyword extraction, which expands data exposure beyond simple publishing and image upload. In a WeChat publishing skill, unpublished article drafts may be sensitive, so undisclosed export to a third-party model materially increases privacy and confidentiality risk.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The skill description claims publishing via the official API, but the implementation instead drives the WeChat web admin UI through browser automation and performs draft/image manipulation. This is dangerous because users and orchestrators may grant the skill broader trust, permissions, or workflow assumptions based on false capabilities, while browser-driven admin automation is more fragile and can modify authenticated account content in unintended ways.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The CLI advertises publish, preview, cover URL, and draft-edit features that are not actually implemented, while only --organize performs real actions. Misrepresented controls are a security problem because operators may believe they are using a safe preview or limited mode when the script instead executes a different workflow that edits drafts, increasing the risk of accidental content changes in a privileged session.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The code implements a direct mass-publish path via `publish_all(media_id)` after a simple local confirmation prompt, which exceeds a safer draft-only workflow and can send content to all followers. In the context of an agent skill triggered by natural-language requests, this increases the chance of unintended or unauthorized broad distribution if the skill is invoked incorrectly or manipulated.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: This test file performs live web scraping of third-party security news sites, which is unrelated to the declared skill purpose of publishing WeChat public-account articles via the official API. In an agent skill, unrelated network-capable code expands the attack surface, can enable undisclosed data flows or content sourcing, and suggests possible scope drift or hidden behavior that could be repurposed to fetch untrusted content for later publication.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The module docstring explicitly describes an 'API-free search solution,' which contradicts the skill metadata stating it is based on the official API for WeChat article publishing. This inconsistency is dangerous because it signals undocumented capability expansion and may indicate attempts to bypass intended controls, review boundaries, or platform expectations about what the skill does.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The PRD explicitly includes a direct publish mode and mass-send API endpoint, but it does not require explicit user confirmation, audience scoping, or warning text about immediate delivery to subscribers. In a publishing skill, this creates a real safety risk because a mistaken invocation or misunderstood mode can trigger irreversible bulk distribution of content.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The document specifies sending article-derived data to external AI image-generation services and later to WeChat APIs, but it does not require disclosure, consent, or data-minimization controls for transmitted content. If users include sensitive or proprietary article text, the skill could expose that content to third-party providers without sufficient warning.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README promotes automated publishing, intelligent image generation, and scheduled posting to WeChat and third-party image providers, but it does not clearly warn users that article content, prompts, and related metadata may be transmitted off-host to external platforms and APIs. This creates a real privacy and data-handling risk because users may unknowingly send sensitive draft content or proprietary material to WeChat, Unsplash, Tongyi, Baidu, or OpenAI-backed services.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README advertises direct publish and mass-send operations without warning that content will be transmitted to external services and may immediately affect a live public account. In a skill context, that omission can lead users or upstream agents to trigger irreversible account actions without informed consent.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The test mode is described as automatically creating three articles in the draft box, but the documentation does not warn that this generates and transmits content to external services. Even if limited to drafts, automated content creation against a real account can consume quotas, clutter assets, and surprise operators.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The instructions tell users to place AppID, AppSecret, and an image API key into configuration without highlighting that these are sensitive credentials or that they may be used to authenticate external requests. In combination with the skill's broader detected capabilities, this raises the risk of credential misuse, leakage, or accidental inclusion in logs and files.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The guide promotes automatic and scheduled publication workflows but does not prominently warn that these actions can post real content to a production WeChat public account, potentially causing unintended or irreversible publication. In an agent skill context, users may over-trust automation, so missing safety guidance increases the chance of accidental brand, compliance, or reputational damage.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The guide instructs users to place AppSecret and third-party API keys in configuration files and environment variables, but it does not clearly warn against exposing them in source control, logs, screenshots, or shared machines. These credentials can grant unauthorized access to the WeChat account and image provider services, enabling account abuse, content publication, and quota or billing loss.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Article content is transmitted to an external LLM service with no visible consent or disclosure mechanism in this file. For a publishing tool handling draft content, silent third-party transmission can leak proprietary, personal, or embargoed material.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The image generation workflow sends prompts derived from article content to multiple third-party services and downloads returned resources, but the code shows no disclosure or consent boundary. In this skill context, users may reasonably expect publishing to WeChat, not broad sharing with several AI vendors and media CDNs.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script automatically edits draft articles and inserts matched images without prompting the user for approval per draft or presenting a review step. In the context of a WeChat public-account admin session, this can silently alter publication content, introduce incorrect or inappropriate media, and create reputational or operational damage before the user notices.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.