File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- skills/wechat-mp-illustrate/scripts/illustrate.py:69
- Evidence
client = client_class(api_key=[REDACTED], model=args.model)
Security audit
Security checks across malware telemetry and agentic risk
This looks like a legitimate WeChat publishing helper, but it can upload local files referenced by HTML to WeChat and includes at least one account-deletion helper without explicit confirmation.
Review the full package before giving it real WeChat or OpenRouter credentials. Use trusted article HTML only, run the inspection/dry-run step, check every local image path before upload, avoid file:// references, and require explicit confirmation for any publish or deletion operation.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal, suspicious.potential_exfiltration
client = client_class(api_key=[REDACTED], model=args.model)
encoded = base64.b64encode(path.read_bytes()).decode("ascii")