Back to skill

Security audit

Wecom Voice Agent

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate WeCom voice assistant, but its public webhook guidance and sample server lack authentication/signature verification for enterprise message callbacks.

Install only for development or controlled testing unless you add proper WeCom callback signature/encryption validation, run it behind HTTPS with restricted access, protect all WeCom credentials, and understand that transcripts and user IDs may be written locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill describes capabilities that imply shell execution, file read/write, webhook hosting, network access, and integration with external services, yet it declares no permissions or trust boundaries. This mismatch is dangerous because users and the platform cannot accurately assess or constrain what the skill is allowed to do, increasing the risk of over-privileged execution, unsafe deployment, or unnoticed data handling.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The README makes a strong privacy/security claim that all data is processed locally and not uploaded, yet the documented architecture requires exposing a webhook endpoint and receiving callback data from WeCom over the network. This can mislead deployers about the actual data flow and trust boundary, causing them to deploy the service without appropriate network, logging, or privacy controls.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The privacy statement says the skill does not store, upload, or forward user voice data, but the setup instructions describe a webhook server that receives message data via an internet-exposed callback. Even if the skill itself does not originate uploads, this wording is materially misleading because user content necessarily traverses external infrastructure and reaches a network service controlled by the deployer.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The POST webhook handler accepts arbitrary JSON and processes it as a WeCom callback without validating the callback signature, timestamp, nonce, or decrypting/verifying encrypted payloads. This allows any network-reachable party to spoof messages, trigger business logic, poison logs, and potentially abuse any future integrations such as message sending, scheduling, or todo creation.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The GET URL verification path explicitly skips signature validation and reflects echostr directly, despite the comment acknowledging verification is required. This defeats WeCom endpoint ownership/authentication checks and signals a broader trust failure in the webhook design, making spoofing and misbinding easier.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide explicitly tells users to expose a locally hosted webhook on port 8080 to the public internet via frp or ngrok, but it does not warn about the resulting attack surface, privacy exposure, or the need to restrict and authenticate inbound traffic. In the context of a webhook handling enterprise voice messages, this can expose message contents and invite probing, spoofed requests, or abuse if the server implementation is weak or misconfigured.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The setup instructs users to retrieve and use the WeCom application Secret and later obtain an access token, but it provides no warning that these are sensitive credentials that must not be exposed, logged, committed, or shared. If mishandled, an attacker could impersonate the application, call enterprise APIs, and access or send data as the bot.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code persists full session objects, including user identifiers and message history, to disk in a temp_sessions directory without any consent notice, retention disclosure, or access-control safeguards. In a voice-message agent, these records can contain sensitive personal or business content, so silent storage increases privacy and data-exposure risk if the host is shared, backed up, or compromised.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.