wechat-mp-publisher

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate WeChat publishing helper, but users should review it because it can send full drafts and live WeChat credentials to a remote MCP server with weak disclosure and HTTP examples.

Install only if you trust and control the MCP endpoint, preferably over HTTPS. Treat wechat.env and TOOLS.md credentials as sensitive long-lived account secrets, keep them out of version control, and review the exact article and images before running publish-remote.sh or asking the agent to publish.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill clearly instructs use of shell-based tooling (`cp`, `nano`, `chmod`, script execution) and declares install/runtime binaries, but it does not declare corresponding permissions. Undeclared shell capability weakens the trust model for users and automated policy enforcement, because the skill can induce command execution beyond what its permission manifest communicates.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented behavior emphasizes remote HTTP MCP publishing with credential isolation, but the finding indicates the skill also supports local direct publishing, reads/export credentials from other files, and depends on local CLI execution. That mismatch is security-relevant because users may trust a narrower data flow and isolation boundary than actually exists, leading to credential exposure or unintended local execution paths.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly promotes remote publishing over HTTP and states that sensitive credentials are passed at runtime, but it does not clearly warn users that article content and authentication secrets will be transmitted to a remote service outside the local machine. This creates a real security risk because users may assume the skill is primarily local or safely isolated, while in practice a remote MCP operator, misconfiguration, or insecure transport could expose content, tokens, or account access.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill asks users to store highly sensitive公众号 credentials in `wechat.env` and says the assistant will read them, but it provides no explicit guidance on secret storage hygiene, file permissions, `.gitignore`, redaction, or avoiding echo/logging. This increases the risk of accidental credential disclosure through version control, shell history, chat transcripts, or overly broad filesystem access.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill promotes routing publication through a remote HTTP MCP service but does not clearly warn that article content, metadata, and possibly authentication-related data are transmitted to a remote server. Without an explicit disclosure of this trust boundary, users may unknowingly send private drafts or sensitive business content to infrastructure they do not control.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The document promotes automatic image uploads and one-click publishing to a public platform without warning that local files and article content will be transmitted to external services. In a publishing skill, this omission can cause users to unintentionally disclose sensitive content or trigger unintended publication, especially because the feature is presented as frictionless and automatic.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script reads the entire local article file and sends it to a remote MCP service, but it does not clearly warn the user that local content will leave the machine. In a publishing skill this may be functionally expected, but the lack of explicit disclosure increases the risk of accidental transmission of sensitive or proprietary content.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The script packages WECHAT_APP_ID and WECHAT_APP_SECRET into arguments sent to the remote MCP service, exposing sensitive credentials to another system. This is dangerous because compromise, logging, or misuse on the remote endpoint could lead to unauthorized control of the WeChat account or persistent credential theft.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal