Security audit

Wechat Article Archive

Security checks across malware telemetry and agentic risk

Overview

The skill matches its stated archiving purpose, but its parser can execute code from fetched pages and its URL check can be bypassed, so it needs review before installation.

Review before installing. Use only with trusted WeChat article links, run it in a constrained sandbox, and choose a dedicated output folder because it writes files there. The publisher should replace substring URL checks with strict parsed-host checks and avoid evaluating fetched page JavaScript with new Function before this is treated as low-risk.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain

Findings (7)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: process.exit(1); }}); """ res = subprocess.run([node, "-e", js], capture_output=True, text=True, cwd=str(SKILL_DIR)) if res.returncode != 0: fail(res.stderr.strip() or "extract failed", 4) try:
Confidence: 97% confidence
Finding: res = subprocess.run([node, "-e", js], capture_output=True, text=True, cwd=str(SKILL_DIR))

Tainted flow: 'node' from os.environ.get (line 28, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: process.exit(1); }}); """ res = subprocess.run([node, "-e", js], capture_output=True, text=True, cwd=str(SKILL_DIR)) if res.returncode != 0: fail(res.stderr.strip() or "extract failed", 4) try:
Confidence: 99% confidence
Finding: res = subprocess.run([node, "-e", js], capture_output=True, text=True, cwd=str(SKILL_DIR))

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill instructs the agent to execute shell commands, access environment variables, make network requests, and write files, but it does not declare permissions or constraints for those capabilities. In a skill that accepts a user-provided URL and destination folder, this creates a real trust-boundary issue because the agent may perform filesystem and network actions without explicit governance or sandbox expectations.

Unvalidated Output Injection

High

Category: Output Handling
Content: process.exit(1); }}); """ res = subprocess.run([node, "-e", js], capture_output=True, text=True, cwd=str(SKILL_DIR)) if res.returncode != 0: fail(res.stderr.strip() or "extract failed", 4) try:
Confidence: 95% confidence
Finding: subprocess.run([node, "-e", js], capture_output

Unpinned Dependencies

Low

Category: Supply Chain
Content: beautifulsoup4>=4.12
Confidence: 91% confidence
Finding: beautifulsoup4>=4.12

Known Vulnerable Dependency: qs==6.15.0 — 1 advisory(ies): CVE-2026-8723 (qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/u)

Low

Category: Supply Chain
Confidence: 84% confidence
Finding: qs==6.15.0

Tool Parameter Abuse

High

Category: Tool Misuse
Content: "node_modules/extsprintf": { "version": "1.3.0", "resolved": "https://registry.npmmirror.com/extsprintf/-/extsprintf-1.3.0.tgz", "integrity": "sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==", "engines": [ "node >=0.6.0" ],
Confidence: 85% confidence
Finding: rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal