WeCom文件发送

Security checks across malware telemetry and agentic risk

Overview

This skill openly sends local files through WeCom, but its broad triggers and direct send instructions could expose the wrong workspace or business file.

Install only if you want an agent to send local workspace files through WeCom. Use explicit filenames or full paths, verify the recipient, and confirm the selected file before any MEDIA send, especially for companywork or other private folders.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases are very broad, everyday expressions such as '发送文件给我' and '把这个文件发给我', which can easily match normal conversation and invoke the skill unintentionally. In this skill, accidental activation is more dangerous because the skill is designed to expose and transmit local files from predefined workspace directories, increasing the chance of unintended data disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal