Security audit

「自己」微信画像分析

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised WeChat profiling, but it handles very sensitive chat data with broad persistence, unpinned setup code, and bundled personal profile artifacts that users should review carefully.

Install only if you are comfortable decrypting and locally profiling your WeChat database with administrator privileges. Review the external decryptor before running setup, remove the bundled generated profile files, avoid syncing chat-derived content into MEMORY.md until you have reviewed and minimized it, and disable the cron/memory scripts unless you explicitly want ongoing session capture and memory maintenance.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (23)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def run(cmd, check=True): print(f" > {cmd}") result = subprocess.run(cmd, shell=True, capture_output=True, text=True) if result.stdout: print(result.stdout) if result.returncode != 0 and check:
Confidence: 91% confidence
Finding: result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The README asserts that the tool 'only analyzes yourself' and does not involve third-party privacy, yet the documented outputs include contacts, group chats, relationship networks, and communication patterns derived from other people's messages. This is a misleading privacy claim that can cause users to process highly sensitive third-party data without informed consent or adequate safeguards.

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The README says certain content 'will not appear in the profile,' but elsewhere describes broad profile artifacts containing contacts, groups, and relational analysis without clearly proving those exclusions persist in generated outputs. This creates a gap between promised filtering and actual data exposure, increasing the risk that sensitive or out-of-scope information is still retained in analysis artifacts.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The script is presented as a generic WeChat analysis tool, but later output embeds fixed identity claims about a specific person, indicating deceptive behavior and unauthorized profiling. Hard-coded biographical assertions can misattribute identity, amplify privacy harm, and suggest the tool is designed to generate dossiers rather than neutral analysis.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The function claims to generate a computed profile, but it inserts prewritten personal details unrelated to the actual analysis inputs. This is dangerous because it fabricates sensitive personal data in an output that appears evidence-based, enabling deception, stalking, defamation, or coercive profiling.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The instructions direct users to decrypt and analyze full WeChat databases, including contacts and relationship information, without a clear warning about the sensitivity of the dataset or the privacy impact on other participants. In context, this normalizes invasive processing of private communications and may lead users to handle regulated or highly sensitive personal data unsafely.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger phrases are very broad and include generic commands such as “分析我的微信”, “更新我的画像”, “另一个我”, and “解密微信”, which could cause the skill to activate in contexts the user did not clearly intend. Because the skill performs highly sensitive actions involving decryption and analysis of private WeChat data, accidental invocation materially increases privacy and safety risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to decrypt WeChat databases and analyze message history, but it does not present a clear, prominent warning about the sensitivity of chat contents, contacts, media, and derived personality profiles. This omission is dangerous because users may not fully understand that the workflow accesses large volumes of intimate personal data and then propagates derived results into long-lived memory files, increasing exposure if the endpoint or workspace is later compromised.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The tool generates multiple markdown files containing contacts, session metadata, and message-derived content without any warning, consent, or confirmation flow. In this context, the output is highly sensitive personal data, so silent bulk export materially increases the risk of privacy violations, misuse, and unintended disclosure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script persists a quarterly timeline archive derived from private messaging analysis without informing the user that sensitive summaries will be stored long-term. Persistent storage increases exposure duration and makes later exfiltration, accidental sharing, or forensic recovery more likely.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script automatically clones and installs code from an external GitHub repository and then installs dependencies from its requirements file, which expands the trust boundary to remote, mutable content. This is especially risky here because the skill is explicitly setting up tooling for WeChat decryption, a sensitive context that can affect local systems and private data.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script automatically extracts WeChat profile activity such as 'last active' and 'unread' indicators from a cold-storage file and writes them into a hot-layer MEMORY.md without user confirmation, consent checks, or any privacy notice. This increases exposure of potentially sensitive behavioral data by promoting it into a more visible and likely more broadly consumed memory file, which can lead to unintended disclosure or secondary misuse by other tools or users.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger list includes very broad phrases such as '记忆系统', 'memory system', and 'lancedb', which can cause the skill to activate in contexts where the user did not intend to enable persistent memory behavior. Because this skill performs retention and scheduled processing of session content, accidental activation materially increases privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The description advertises automatic capture, scanning, deletion, and scheduled writes, but it does not present a clear warning or consent step about persistent storage and automated modification of user data. Users may enable the skill without understanding that conversations and summaries will be retained, processed on a schedule, and potentially deleted or rewritten.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script writes structured instructions into HEARTBEAT.md specifically to trigger downstream agent execution, creating an implicit command channel without authentication, integrity checks, or meaningful user notice. In an agentic system, any file-based trigger that causes automated action can be abused for unauthorized task injection, especially if other components trust HEARTBEAT.md as executable intent.

Ssd 3

High

Confidence: 98% confidence
Finding: The README explicitly promotes converting private WeChat chat history into an AI memory system that 'understands you' better. Persistently transforming intimate conversations, behavioral signals, and relationship data into reusable model-readable memory materially increases privacy risk, especially because it extends the lifetime, accessibility, and secondary use of highly sensitive data.

Ssd 3

High

Confidence: 98% confidence
Finding: The workflow directs decrypted WeChat data to be transformed into structured reports and synchronized into a 'hot' memory layer that the AI directly reads. This creates a high-risk pipeline from decrypted private communications to persistent AI context, making accidental overexposure, misuse, or retention of sensitive personal and third-party data much more likely.

Ssd 3

High

Confidence: 99% confidence
Finding: The data-flow section explicitly states that structured reports from WeChat records are written into MEMORY.md for direct AI consumption. In this skill context, that is especially dangerous because the source material is decrypted private messaging data containing relationship, behavioral, and likely third-party information, so the design itself operationalizes privacy-invasive retention and reuse.

Ssd 3

High

Confidence: 99% confidence
Finding: This code writes human-readable profile reports that expose private contacts, session summaries, group activity, and inferred interests from decrypted message data. In a skill whose purpose is profiling private communications, transforming raw data into convenient dossier-style markdown substantially increases the risk of surveillance, doxxing, coercion, and unauthorized sharing.

Ssd 3

High

Confidence: 99% confidence
Finding: The relationship report explicitly classifies private contacts into categories like close relationships and transaction-related interactions using chat summaries. This creates a sensitive social graph and financial-behavior inference layer that can be abused for blackmail, targeting, social engineering, or reputational harm.

Ssd 3

High

Confidence: 100% confidence
Finding: The language-signature output reproduces samples of private message content directly into a report file. Copying message text into secondary artifacts expands the attack surface, leaks potentially intimate or regulated information, and makes accidental disclosure much easier than leaving data confined to the source database.

Ssd 3

Medium

Confidence: 95% confidence
Finding: This section describes automatic capture, vector storage, retrieval injection, and scheduled summarization of session-derived content into long-lived memory layers. That creates a real risk of retaining sensitive user information, secrets, or regulated data in markdown files, logs, and a vector database where it may later be recalled in unrelated contexts.

Ssd 3

Medium

Confidence: 96% confidence
Finding: Micro Sync explicitly instructs scanning recent sessions, extracting decisions and content, reviewing auto-captured memories, and appending results into dated memory files. This operationalizes routine collection and persistence of conversational data, which can expose confidential information and creates a durable audit trail even when users did not intend long-term retention.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal