Back to skill

Security audit

微信小程序自动化测试

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate WeChat mini-program testing tool, but it needs review because it can run local automation and collect/save diagnostic data beyond what the docs clearly describe.

Install only if you are comfortable giving it local control over WeChat DevTools for test projects. Use test accounts and synthetic data, review generated scripts before running them, and treat screenshots, exported logs, performance reports, and result JSON as sensitive files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env = os.environ.copy()
            if "NODE_PATH" not in env:
                try:
                    npm_global = subprocess.run(
                        "npm root -g",
                        capture_output=True, text=True, timeout=10,
                        shell=True,
Confidence
89% confidence
Finding
npm_global = subprocess.run( "npm root -g", capture_output=True, text=True, timeout=10, shell=True,

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly instructs the agent to create and execute Python scripts, launch local tooling, access project files, and connect to a local WebSocket endpoint, which implies shell, file, environment, and network capabilities. Because these capabilities are operationally significant but not explicitly declared, users and policy layers may underestimate the skill's access, creating a transparency and consent gap that can lead to unintended code execution or data exposure.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The function advertised as reading console logs actually collects page routes and wx.getSystemInfoSync(), which can expose device and environment metadata unrelated to the requested purpose. In an automation-testing skill, this is more dangerous because users may grant access expecting log retrieval, not broader host/device information collection.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file-level description claims console/error/network log reading, but the implementation shown retrieves page routes and system information instead. This mismatch creates deceptive behavior and undermines informed consent, increasing the risk of unintended data collection in a developer tooling context where sensitive app/runtime details may be present.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
PerformanceMonitor collects systemInfo and performance-related data and can export it to disk without any warning, redaction, or consent flow. In this skill context, exported reports may contain device fingerprints or environment details that persist on disk and can later be exposed through sharing, backups, or CI artifacts.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The subprocess environment is inherited wholesale with `os.environ.copy()` and then passed to Node, which executes generated JavaScript and loads modules via `NODE_PATH`. In a sensitive runtime, this can leak secrets from environment variables to child processes and broadens trust to whatever the environment and module-resolution state provide.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.