wechat-mp-writer-skill-mxx

Security checks across malware telemetry and agentic risk

Overview

This is a WeChat article-writing helper with optional draft publishing and no hidden executable behavior found.

Safe to install as a writing helper. Before using any publish flow, review the generated article, confirm the separate publisher skill is trusted, and avoid sending confidential, unlicensed, fabricated, or undisclosed AI-assisted content to WeChat.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill description is broad enough to overlap with common writing and publishing requests, which can cause the agent to invoke this skill when the user did not explicitly intend to use it. Because this skill can progress all the way to external publication, an accidental trigger increases the risk of unintended content generation or preparation for publishing workflows.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The document describes sending generated Markdown to an external publisher skill and publishing to a WeChat draft box, but it does not require a clear user-facing notice that content will be transmitted outside the current skill context. Without explicit disclosure and confirmation, users may unintentionally expose unpublished, sensitive, or proprietary article content to an external integration.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal