Back to skill

Security audit

Reply Wechat Message

Security checks across malware telemetry and agentic risk

Overview

This WeChat assistant is purpose-aligned but needs review because it reads private chats, may use a third-party OCR service, and can send messages automatically with weak user-control safeguards.

Install only if you are comfortable with a WeChat automation skill that can read visible chat content and send messages on your behalf. Treat any OCR.space use as potential third-party processing of private chats, and prefer using it only with explicit review of drafted replies before sending. Also note that this published artifact appears to omit the scripts it says are bundled, so it may not work as documented.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The short-form triggers like '回复 小明 / reply Kitty' are broad enough to overlap with ordinary user phrasing, increasing the chance of accidental invocation of an action that reads chat history and may send a message. In this skill, that ambiguity is more dangerous because the triggered behavior is not read-only: it can access full conversation context and automate outbound communication.

Missing User Warnings

High
Confidence
96% confidence
Finding
The auto-reply feature reads the entire visible chat context, has the model generate a response, and then sends it automatically, but the description does not present a clear upfront warning about the privacy and messaging consequences. That omission can cause users to expose sensitive conversation content and unintentionally authorize autonomous outbound messages without informed consent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documented use of OCR.space means chat screenshots or extracted chat content may be transmitted to a third-party external service, yet the skill does not clearly warn users that private messages could leave the local device. In a messaging assistant, this is especially sensitive because the data may include personal, confidential, or regulated information from entire chat threads.

Ssd 1

Medium
Confidence
93% confidence
Finding
The instruction that OCR-recognized text 'IS the real context' and must not be questioned suppresses normal model skepticism about recognition errors, prompt injection embedded in messages, or manipulated chat content. In this skill, that increases the risk of generating unsafe, inappropriate, or attacker-influenced replies based on false or adversarially crafted OCR output.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.