Security audit

Wechat Article

Security checks across malware telemetry and agentic risk

Overview

This is a mostly instruction-only WeChat article writing skill, with disclosed but user-review-worthy steps for cover-image generation and publishing.

Install this for drafting assistance, but review the final article and cover image before publishing. Only run the referenced image generator or wechat-mp-toolkit if those tools are installed from sources you trust and pointed at the intended WeChat account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill’s declared purpose is article creation, but the documentation extends its behavior to image generation and external publishing. Expanding scope to invoke other tools and push content outward increases the attack surface and can enable unintended side effects, especially if an agent executes the documented workflow automatically without explicit user confirmation.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Including a publication step via an external toolkit is risky because it turns a content-generation skill into one capable of taking real-world actions on external platforms. If wired into an agent with credentials, this could cause unauthorized or accidental posting, reputational harm, or leakage of sensitive or unreviewed content.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.