Security audit

WeChat Games Reporter

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it gathers public WeChat game rankings and sends a Feishu report, with no hidden code or install-time behavior found.

Before installing, make sure you are comfortable granting Feishu document and messaging access. Use a dedicated Feishu account or tightly scoped permissions where possible, choose the recipient deliberately, and review reports before sending if they include sensitive business analysis.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly includes a delivery step that creates a Feishu document and sends it by direct message, but it provides no warning, consent checkpoint, or data-handling guidance for transmitting scraped content off-platform. Even if the scraped rankings are public, automated outbound messaging can surprise users, violate internal data-sharing expectations, or enable unintended dissemination if the report includes additional analysis, identifiers, or sensitive context.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal