WeChat Channels Share Downloader

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it sends a WeChat Channels share link to a documented resolver and downloads the resulting video to Downloads.

Install only if you are comfortable sending WeChat share-link metadata to the documented resolver service and saving the downloaded media under ~/Downloads. Use it only for content you are allowed to access and download, and choose a unique filename when you want to avoid overwriting an existing file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The skill explicitly states that output is written to ~/Downloads but does not warn the user at the point of use that executing the command will create or overwrite a local file. While this is not inherently malicious, silent file-write behavior can surprise users, lead to accidental storage of untrusted content, or cause unintended overwrites depending on script behavior.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script sends the user-supplied WeChat share URL to a third-party resolver API by default, which discloses user activity and link metadata to an external service without an explicit warning or consent step. In this skill's context, the external resolver is central to functionality, but the lack of transparent disclosure and the default use of a non-WeChat, non-local endpoint creates a real privacy and trust risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal