WeChat Article Writer

Security checks across malware telemetry and agentic risk

Overview

This is a coherent WeChat article workflow, but it asks for credentialed publishing, persistent workflow state, workspace agent-rule changes, and network-exposed preview behavior without enough clear user control.

Install only if you are comfortable granting a skill access to WeChat credentials, draft content, images, browser automation, and persistent local workflow files. Before use, review setup.sh, avoid plaintext secrets where possible, bind preview to localhost unless remote access is intentional, and require manual confirmation before any WeChat upload or draft creation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (29)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The CLI help and output description present this as a local Markdown-to-HTML converter, but the implementation also fetches remote image URLs found in Markdown. That mismatch is security-relevant because users may process untrusted Markdown believing no network access occurs, enabling unexpected outbound requests, privacy leaks, and SSRF-style access to internal resources if the renderer runs in a privileged environment.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The catch block builds HTML with `container.innerHTML` and interpolates `error.message` directly into the string. If an attacker can influence the thrown error text—such as via malformed infographic input or a dependency that echoes untrusted content—this can lead to DOM XSS in the renderer context.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The manifest includes very broad trigger phrases such as 'write/draft/publish/topic/voice/status', which can cause the skill to activate in situations beyond the user's clear intent. Because this skill can install services, use browser automation, and publish to a WeChat draft box, overbroad activation increases the chance of unintended sensitive actions being initiated.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The setup instructions install a persistent preview server as a system service (`wechat-preview.service`) on port 8898, but the skill description does not clearly warn the user that software will be installed and kept running. Hidden persistence and exposed local services increase operational and security risk, especially if users do not realize a daemonized component will survive beyond the session.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The publishing workflow uses WeChat API credentials and browser/CDP automation to access and modify a user's WeChat Official Account, yet the skill does not present a clear privacy and security warning about credential handling, browser control, or what data may be transmitted. In this context, omission is risky because the skill performs authenticated actions on an external account and may access sensitive session state or account content.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document explicitly instructs the workflow to look for and use locally stored WeChat API credentials in ~/.wechat-article-writer/secrets.json without any user-consent, scope, or least-privilege warning. In an agent skill context, guidance to automatically check for and use local secrets can normalize credential access and lead to unauthorized use or exfiltration of sensitive API material.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The preview server instructions bind an HTTP service to 0.0.0.0:8898 and explicitly make drafts reachable over the network, including via Tailscale, but do not warn about who can access that content or how to restrict exposure. In practice this can unintentionally leak unpublished article drafts, metadata, or internal content to other reachable hosts on the network or tailnet.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The guidance instructs the orchestrator to persist workflow progress to `pipeline-state.json` across sessions, but provides no user-facing disclosure, retention limits, or access-control guidance. In this skill context, the state file may contain article content, workflow metadata, user decisions, and possibly sensitive operational details, creating privacy and data exposure risk if stored insecurely or retained longer than expected.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document tells the agent to process transcribed voice messages and act on them directly, but does not warn that voice content will be sent to a transcription service or explain how that data is handled. Because voice messages can contain personal or sensitive information, this omission can lead to unintended collection, transmission, and processing of user data without informed consent.

Missing User Warnings

Low

Confidence: 98% confidence
Finding: The checklist recommends `echo $OPENROUTER_API_KEY` to verify configuration, which prints the full credential to the terminal and potentially into shell history, logs, screenshots, or shared sessions. While simple, this is an avoidable secret-exposure pattern that could leak an active API key.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The Chrome instructions enable remote debugging on a fixed port with a temporary profile for publishing, but provide no warning that the debugging interface can expose browser control, cookies, session data, and account access if reachable by other local users or network paths. In this context, the browser is used for WeChat publishing, so compromise could allow takeover of an authenticated publishing session.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs reading a local secrets file containing app credentials without any privacy warning, minimization guidance, or handling constraints. In an agent context, this can normalize unnecessary access to sensitive local material and increase the chance that credentials are exposed in logs, prompts, downstream tools, or external API calls.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This section describes sending credentials, article content, and media to WeChat APIs but does not clearly warn that local data will leave the machine and be transmitted to a third-party service. In a skill used by an autonomous agent, omission of that disclosure can lead to silent exfiltration of sensitive drafts, images, metadata, and tokens without informed user consent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide explicitly instructs reading local image files, base64-encoding them, and uploading them to WeChat's CDN, but it does not require user consent, disclosure, or any data-sensitivity check before transmission. In an agent setting, this can cause unintended exfiltration of locally generated or user-provided content to a third-party service, which is a real security and privacy risk even if the upload is functionally necessary for publishing.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation explicitly instructs persistent storage of pipeline state in a file under the user's home directory and later examples include session-related fields, but it provides no warning, minimization guidance, or protection requirements for sensitive values. In an agent workflow, state files are commonly long-lived and broadly readable by other local processes, so persisting identifiers tied to browser/editor sessions can leak recoverable session context across turns or after compromise.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The publishing-state example includes a token-like field (`wechat_token`) and a browser/editor identifier (`editor_target_id`) in a persisted JSON example without any caution that these may be sensitive session artifacts. Even as documentation, this normalizes storing reusable session data on disk, which can enable unauthorized reuse of an authenticated publishing session if local files are exposed.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: This code implicitly loads configuration from both the current working directory and the user's home directory without any disclosure, trust boundary check, or explicit opt-in. In a skill/execution context, an attacker who can influence the working directory contents could alter rendering behavior unexpectedly, creating a configuration-injection vector even if it does not directly lead to code execution in this file.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The renderer encodes PlantUML source and sends it to a remote PlantUML server by default, which can disclose potentially sensitive diagram contents to a third party without explicit user awareness or consent. In a markdown rendering context, users may reasonably expect local rendering, so silently transmitting document content off-host creates a real privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Inline SVG mode fetches remote SVG content and injects the returned markup directly into the DOM via outerHTML. Besides undisclosed network access, this introduces a stronger client-side risk because malicious or compromised remote SVG content can lead to script-capable markup injection or active content execution depending on browser behavior and surrounding sanitization.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script modifies workspace files AGENTS.md and HEARTBEAT.md without prompting the user, injecting persistent agent-behavior instructions into the target workspace. In a skill context, this is risky because it silently changes future agent behavior and can affect subsequent runs or other tools operating in that workspace, creating an integrity and trust boundary violation.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script attempts to install external dependencies and runs a package manager install command without explicit confirmation. This is dangerous because it executes network-dependent installation actions and third-party package resolution in the user's environment, which expands the attack surface and can lead to unintended code execution or environment changes during setup.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The manifest explicitly grants access to external APIs and user-supplied credentials, but the skill file provides no user-facing notice, consent flow, or data-handling constraints. In a skill that writes, previews, and publishes content to third-party services, this creates a real risk of sensitive data being transmitted or misused without clear user awareness.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The resume instructions tell the operator to verify and continue using stored browser/page context and identifiers across turns, including checking token validity and reusing page-scoped state. This increases risk because it operationalizes persistence and reuse of authenticated session material, making the workflow more vulnerable to credential/session theft, unintended cross-turn exposure, and stale-session misuse.

External Transmission

Medium

Category: Data Exfiltration
Content: ```python # For article body images (temporary URL, use in <img src="...">): with open("images/img1.png", "rb") as f: r = requests.post( "https://api.weixin.qq.com/cgi-bin/media/uploadimg", params={"access_token": access_token}, files={"media": ("img1.png", f, "image/png")}, timeout=60
Confidence: 95% confidence
Finding: requests.post( "https://

External Transmission

Medium

Category: Data Exfiltration
Content: # For cover (permanent, needed as thumb_media_id): with open("images/cover.png", "rb") as f: r = requests.post( "https://api.weixin.qq.com/cgi-bin/material/add_material", params={"access_token": access_token, "type": "image"}, files={"media": ("cover.png", f, "image/png")}, timeout=60
Confidence: 95% confidence
Finding: requests.post( "https://

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal