Back to plugin

Security audit

Holo WeChat MP

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate WeChat publishing helper, but it can upload local files referenced by HTML to WeChat and includes at least one account-deletion helper without explicit confirmation.

Review the full package before giving it real WeChat or OpenRouter credentials. Use trusted article HTML only, run the inspection/dry-run step, check every local image path before upload, avoid file:// references, and require explicit confirmation for any publish or deletion operation.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.potential_exfiltration

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
skills/wechat-mp-illustrate/scripts/illustrate.py:69
Evidence
client = client_class(api_key=[REDACTED], model=args.model)

Python code base64-encodes a local file and sends it over the network.

Critical
Code
suspicious.potential_exfiltration
Location
skills/wechat-mp-illustrate/scripts/api.py:141
Evidence
encoded = base64.b64encode(path.read_bytes()).decode("ascii")