多个微信公众号文章同步和下载

Security checks across malware telemetry and agentic risk

Overview

The skill matches its WeChat article-sync purpose, but it handles reusable WeChat login credentials and can expose sensitive session data through configured gateways, diagnostics, or messaging targets without strong warnings.

Install only if you trust the publisher and intend to give this skill access to a WeChat official-account backend session. Use only trusted private messaging targets and trusted gateways, avoid public or unknown proxy URLs, treat JSON command output and imported cookie/token files as credentials, and clear the login state when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (17)

Tainted flow: 'run_args' from os.environ.get (line 117, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: if os.name == "nt" and args and args[0].lower().endswith((".cmd", ".bat")): run_args = [os.environ.get("COMSPEC", "cmd.exe"), "/c", *args] result = subprocess.run( run_args, capture_output=True, text=True,
Confidence: 80% confidence
Finding: result = subprocess.run( run_args, capture_output=True, text=True, timeout=timeout, check=False, encoding="utf-8",

Lp3

Medium

Category: MCP Least Privilege
Confidence: 97% confidence
Finding: The skill advertises and instructs use of capabilities including shell execution, network access, environment inspection, and file read/write, but it does not declare permissions or boundaries for those operations. That creates a transparency and consent gap: an agent or user may invoke actions that can access local data, persist files, use saved login state, or send network traffic without an explicit permission model.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The document frames the skill as a local CLI, but it also supports sending QR codes and login notifications to external messaging channels. This broadens the trust boundary from local-only tooling to outbound communications, which can expose login artifacts, metadata, or sensitive operational events to third-party channels if misconfigured or abused.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill can push QR codes and login-result notifications to external chat targets, which is beyond the minimum functionality needed for article sync and retrieval. Because QR-based login flows are security-sensitive, this creates an additional exfiltration and misdelivery path: an attacker or mistaken caller could direct authentication material or account-status information to an unintended recipient.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The gateway path explicitly builds a request using `_session_forward_headers(session)`, which includes the authenticated `Cookie` header, and appends those headers to a request sent to a user-configured proxy URL. That means any proxy operator or compromised gateway can receive valid WeChat session material and impersonate the account, which is especially dangerous because this skill is designed to log into the WeChat MP backend and scrape protected content.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: This file adds outbound messaging and image-sending behavior to a skill whose stated purpose is WeChat article syncing and scraping. Scope-expanding capabilities increase the attack surface and can facilitate covert data egress or user tracking, especially when they are not clearly justified by the manifest.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The skill invokes an external messaging CLI and can send text and image content to a configured target, which is a meaningful outbound-communication capability beyond article scraping. In the context of an automation skill, this can be abused for unauthorized data exfiltration or covert signaling if misconfigured or triggered unexpectedly.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly handles saved login state for a WeChat backend and supports outbound progress notifications via external messaging, yet it provides no warning about how session data is stored, reused, protected, or what data may be transmitted to third-party channels. In practice, this can expose session tokens or sensitive operational metadata and may cause users to unknowingly transmit account names, sync status, or failure details outside the local environment.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The design explicitly recommends automatically exporting generated summaries to local files under a predictable path, but it does not mention consent, retention controls, access restrictions, or redaction of potentially sensitive article content and model outputs. In this skill’s context, summaries may aggregate scraped article details and derived intelligence, so silent persistence increases the risk of unintended data disclosure to other local users, backup systems, or downstream automation.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The design proposes automatic detail fetching followed by summarization through a provider abstraction with OpenAI-compatible endpoints, but it does not warn that full article content may be transmitted to third-party services. In this skill, the fetched corpus can include large amounts of scraped content and account-level aggregation, so automatic external transmission materially increases confidentiality, compliance, and data-governance risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The design explicitly documents importing prior cookie/session files and clearing login state for a tool that manages a privileged WeChat public-platform session, but it provides no warning about the sensitivity of those artifacts. Session cookies are effectively bearer credentials: if exposed, copied, or mishandled, an attacker could reuse them to access the associated account without the original login flow.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The proxy/gateway instructions encourage routing article-fetch and sync traffic through arbitrary third-party gateway URLs, but do not warn that request URLs, article metadata, session-related traffic, and potentially sensitive browsing targets may be exposed to that intermediary. In this skill context, the omission matters because the feature is specifically used to access account-linked content and remote WeChat resources, making silent third-party routing a real privacy and security risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The `doctor` command returns sensitive session metadata including token values, nickname, head image, cookie presence, timestamps, and proxy health details. In a CLI/agent skill context, these results may be surfaced to logs, calling agents, or downstream users, increasing the risk of credential leakage and operational reconnaissance if the command is invoked in an untrusted workflow.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The environment check has side effects: it creates directories and touches a database file automatically during what appears to be a diagnostic operation. This is not a classic exploit primitive, but it can unexpectedly modify the filesystem, create artifacts in unintended locations if configuration is wrong, and violate least surprise in automation or restricted environments.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: In gateway mode, the code forwards session-derived headers, including cookies, but this file provides no user-facing warning, consent flow, or disclosure that authenticated WeChat credentials may be sent to an external proxy service. Even if intentional for functionality, silent credential forwarding materially increases the risk of account takeover or privacy compromise if the proxy is untrusted or misconfigured.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: `fetch_public_article` tries both an anonymous session and a logged-in session, and when login cookies exist it constructs a `Cookie` header from them for article fetching, including via the article gateway path. This can unnecessarily attach authenticated backend cookies to requests for nominally public article content, leaking credentials or correlating the user's account activity without clear necessity or disclosure.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The code can send message text and local image paths through an external CLI without any disclosure, consent flow, or visible warning in this component. In practice, that makes it easier to leak article-related content, QR codes, or filesystem-derived media to external recipients without the operator fully understanding that outbound transmission is occurring.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal