WeChat Auto Reply

Security checks across malware telemetry and agentic risk

Overview

This skill is aligned with WeChat automation, but it needs Review because it can send messages from a logged-in account, captures chat UI for OCR, and delegates the main runtime behavior to an AppleScript file that is not included in the reviewed artifact.

Install only if you are comfortable granting local UI-control permissions and letting the skill operate your logged-in WeChat account. Verify the missing AppleScript from the Homebrew package before use, test only with a safe recipient such as 文件传输助手, and avoid using automatic send modes unless you have reviewed the target and message behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: X, Y, W, H = get_wechat_bounds() RX, RY, RW, RH = X, Y + 60, 520, 520 img = "/tmp/wechat-search-state-machine.png" subprocess.run(["/usr/sbin/screencapture", f"-R{RX},{RY},{RW},{RH}", img], check=True) # 从 OCR 里找纯命中，点击其文本行 url = NSURL.fileURLWithPath_(img) req = VNRecognizeTextRequest.alloc().init()
Confidence: 86% confidence
Finding: subprocess.run(["/usr/sbin/screencapture", f"-R{RX},{RY},{RW},{RH}", img], check=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: RW = int(W * 0.48) RH = int(H * 0.17) img = "/tmp/wechat-input-check.png" subprocess.run(["/usr/sbin/screencapture", f"-R{RX},{RY},{RW},{RH}", img], check=True) texts = vision_texts(img) joined = " | ".join(texts) print("INPUT_OCR:", joined)
Confidence: 88% confidence
Finding: subprocess.run(["/usr/sbin/screencapture", f"-R{RX},{RY},{RW},{RH}", img], check=True)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill describes shell-capable installation and execution flows but does not declare permissions, which weakens transparency and informed consent for a tool that can drive UI automation and send messages. In this context, undeclared shell capability is risky because the skill also relies on external scripts and system-level automation primitives on macOS.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior does not match the visible implementation surface: the skill references external AppleScript, mentions hidden OCR/UI-state verification logic, and the finding indicates hard-coded test messaging behavior inconsistent with the advertised arbitrary-contact CLI. Behavior mismatches are dangerous in automation skills because users may trust the declared interface while the actual code can message unintended recipients or perform undocumented screen inspection.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The semi-automatic reply mode reads chat content from screenshots via OCR, but the description does not provide a prominent privacy warning. That omission is security-relevant because users may expose sensitive conversations, personal data, or business information without realizing the skill captures and processes message content.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The direct-send mode can automatically send messages to real contacts or groups, but the usage description lacks an explicit safety warning about irreversible message dispatch. In a messaging automation skill, that increases the chance of accidental delivery, social engineering misuse, or unintended messages reaching the wrong recipient.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script automatically sends a WeChat message after OCR-based state checks and an Enter keypress, with no user-facing confirmation, preview, or final consent gate. In a messaging context this can cause unintended outbound communications, social engineering, disclosure of sensitive text to the wrong recipient, or reputational harm if OCR/state detection makes a mistake.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill captures screenshots of WeChat UI regions and runs OCR on them without any disclosure or consent prompt. Even though the captures are region-limited, they can still contain chat titles, message content, contacts, and other private information, creating avoidable privacy exposure and residual sensitive files under /tmp.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The skill uses AppleScript, System Events, and cliclick to take control of the desktop application and inject keystrokes/clicks without explicit disclosure in-code at the moment of execution. In the context of a messaging app, hidden UI control raises user-consent and misuse concerns because it can trigger actions in a trusted communication channel under the user's identity.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script automatically sends a WeChat message once OCR heuristics indicate the input field contains the expected text, with no final user confirmation. In a desktop messaging context, mis-targeting or false OCR/click matches can cause messages to be sent to the wrong recipient, leading to privacy breaches, social engineering, or reputational harm.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill takes screenshots of WeChat UI for OCR without any visible disclosure, even though those captures can include contact names and message-related content. In a messaging tool, silent collection of interface imagery increases privacy risk and can surprise users who may not realize chat data is being copied to local files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal