WeRead (微信读书)

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed WeRead integration that uses a local session cookie to fetch and export reading data, with no evidence of hidden upload, destructive actions, or unrelated access.

Install only if you are comfortable giving the skill access to your WeRead web session and local reading history. Treat ~/.weread/cookie like a password, do not share exported note files, prefer manual cookie entry or a dedicated browser profile when possible, and delete the cookie and ~/.weread exports when you no longer need the integration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill invokes shell commands, performs network access to WeRead, and reads/writes local files such as ~/.weread/cookie, but the manifest does not declare corresponding permissions or clearly constrain those capabilities. Undeclared capability use weakens reviewability and consent, making it easier for a skill handling authentication material to overreach without users or the platform understanding its access level.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill description frames the functionality as book and note querying, but the instructions also include obtaining, persisting, and validating live WeRead authentication cookies. That behavior materially expands the trust boundary from data retrieval to credential handling, which is security-sensitive and could expose a user session if reused, leaked, or mishandled.

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The README presents the skill as local-only and focused on querying WeRead data, yet the setup requires obtaining a live authenticated browser cookie. That cookie is effectively an account credential, so the documented behavior expands the trust boundary well beyond passive note/query functionality and can enable full account access if mishandled.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The README instructs the agent to open the WeRead site, verify login state, extract document.cookie, and save it locally. Extracting browser session cookies is a privileged credential-harvesting action unrelated to ordinary content retrieval, and if an agent can do this generally it could be repurposed to take over user sessions.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The script is explicitly designed to collect and persist a live WeRead authentication cookie to disk, which is a bearer credential that can grant account access if stolen or reused. In the context of a skill advertised mainly for reading-data queries and note management, adding credential extraction and storage materially expands the trust boundary and attack surface.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README describes extracting and storing browser cookies but does not clearly warn that these cookies are sensitive credentials equivalent to an authenticated session. Users may treat them as ordinary config data, increasing the likelihood of accidental disclosure, unsafe storage, or reuse by other tools.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to extract document.cookie from a logged-in session and store it in plaintext at ~/.weread/cookie without an explicit warning that this cookie is effectively a bearer credential. Plaintext local storage and browser extraction increase the risk of session theft, accidental disclosure in logs, or reuse by other local processes.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The bulk export feature writes a user's notes and reading history to ~/.weread/ but does not warn that this creates a local archive of personal behavioral data and potentially copyrighted excerpts. Such exports can persist longer than expected, be synced or backed up unintentionally, and become accessible to other users or processes on the machine.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The script exports a user's reading history, notes, titles, authors, and timestamps into persistent JSON files under ~/.weread without any user-facing notice, consent prompt, or guidance on protecting that data. In this skill context, the data is personal and behavior-revealing; silent local persistence increases privacy risk on shared machines, backed-up home directories, or environments with weak file permissions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The tool handles highly sensitive authentication cookies but does not prominently warn users that these cookies are equivalent to account credentials and should be protected accordingly. Users may paste or save session tokens without understanding the risk of local compromise, accidental sharing, or reuse by other processes.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: After extracting or pasting a cookie, the script automatically calls a verification function that likely sends the credential over the network, yet the user is not told this will happen. Silent transmission of a freshly supplied authentication token increases privacy and trust risks because users may expect only local storage, not immediate network use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal