Wechat Mp Toolkit

Security checks across malware telemetry and agentic risk

Overview

This WeChat publishing skill does what it advertises, but it bundles fixed WeChat credentials and can create remote drafts without a clear user-controlled credential or confirmation flow.

Install only after removing and rotating the bundled WeChat secret, changing the scripts to load your own credentials from a protected source, and adding an explicit preview/confirmation before any upload or draft creation. Review the absolute /root paths and the external helper execution before running this in a real account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (11)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The file hardcodes a WeChat `appID` and `appSecret` and then uses them to obtain an access token. Embedded credentials can be extracted by anyone with code access, reused outside the intended environment, and abused to publish content or access the linked public account resources.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script hard-codes a live WeChat appID and appSecret directly in source code and immediately uses them to obtain an access token for privileged API actions. Embedded credentials are easily exposed through source distribution, logs, backups, or repository history, enabling unauthorized access to the associated WeChat account and abuse of publishing capabilities.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README encourages a one-click workflow that performs network fetching, AI/content generation, image creation, and publication to a WeChat draft box, but it does not clearly warn the user that running the command will make outbound requests and modify remote account state. In an agent-skill context, this omission increases the chance of users executing the script without understanding that it can publish generated content under their official account credentials.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README instructs users to place sensitive WeChat credentials, including appSecret, into a local config file but does not provide any guidance on secret handling, storage permissions, or avoiding accidental commits/logging. This can lead to credential exposure, especially in shared workspaces, repositories, or agent environments where configuration files may be inspected or uploaded.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill advertises '自动清理旧草稿' as part of the automated publishing flow without a prominent warning, confirmation step, or retention policy. Destructive automation against publishing assets can cause irreversible content loss, especially in a production公众号 context where drafts may be business-critical.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill describes automatic upload of covers and publishing to WeChat using appID/appSecret, but the documentation does not clearly warn users that article content, media, and credentials will be sent to external services. In an automation tool handling platform credentials and unpublished content, insufficient disclosure increases the risk of accidental data exposure or misuse.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The workflow writes generated article content directly to `/root/.openclaw/wechat-publish` without prompting the user or requiring explicit confirmation. Automatic writes can overwrite or create sensitive files unexpectedly in privileged locations, especially because the configured output path is under `/root`.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The script executes an external Node.js script via `execSync` with no warning or confirmation, which expands the trust boundary to another file outside this skill. If that external script is modified or replaced, the workflow will run arbitrary code with the current process privileges.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The script invokes ImageMagick through a shell command without disclosure or consent. Running external system binaries increases attack surface, and the command includes file paths derived from workflow data, creating avoidable risk from shell execution and privileged filesystem access.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The workflow automatically uploads media and article content to WeChat APIs and creates a draft without an explicit publish-time confirmation. In a content-publishing skill, silent outbound transmission is especially sensitive because it can expose generated or local content, consume account quotas, and affect a real public-facing account.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The code uses hardcoded credentials for network authentication without any secure handling or user warning, which directly exposes secrets needed to call privileged WeChat APIs. In a publishing toolkit, this is especially dangerous because anyone obtaining the code can impersonate the official account, upload media, and create drafts or other content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal