Back to skill

Security audit

WeChat GZH

Security checks across malware telemetry and agentic risk

Overview

This skill does the advertised WeChat Official Account management, but it handles live credentials and can publish or delete account content with limited safeguards.

Install only if you trust this publisher and intend to let an agent manage a real WeChat Official Account. Store credentials carefully, avoid passing secrets on the command line, avoid running get-token in logged sessions, and treat publish/delete commands as live account actions because the script does not require confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Scope Creep

Medium
Confidence
93% confidence
Finding
The CLI allows credentials to be supplied via --appid and --secret, which expands the skill's credential intake beyond the declared sources of workspace files and environment variables. In an agent setting, this can cause sensitive secrets to be pulled from user prompts, command history, logs, or orchestrator traces, increasing credential exposure risk.

Scope Creep

Medium
Confidence
96% confidence
Finding
By default, the code reads ~/.wechat_gzh_config.json from the user's home directory, which exceeds the manifest's declared workspace-file access scope. In an agent environment, reading outside the workspace violates least privilege and may expose unrelated local secrets or account credentials.

Scope Creep

Medium
Confidence
95% confidence
Finding
The get-material CLI path writes downloaded binary content to a local file even though the manifest declares only context reading and API calls. This is a capability mismatch that can create or overwrite files in the execution environment, broadening the skill's effect beyond what users and policy expect.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill documents destructive actions such as deleting drafts and published articles without any warning, confirmation, or discussion of irreversible consequences. In a publishing-management context, this increases the risk of accidental content deletion or unauthorized destructive use by a caller who does not understand the impact.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to store AppID/AppSecret locally and use them to call external WeChat APIs, but it does not clearly warn that credentials and managed content will be transmitted to a third-party service. In a credentialed integration skill, lack of privacy and transmission disclosure can lead to users exposing secrets or content without informed consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The delete command performs a destructive remote action immediately, without confirmation, dry-run support, or cautionary disclosure. In an agent-driven workflow, accidental invocation or parameter confusion could permanently delete published articles from the WeChat account.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.