wechat-group-qa/

Security checks across malware telemetry and agentic risk

Overview

This skill openly organizes WeChat course-group questions into a local Markdown record, with privacy considerations but no hidden or destructive behavior found.

Install only for groups where participants understand that bot-mentioned questions may be recorded. Limit the bot to the intended course groups, restrict access to wechat-qa-records.md, and define how records can be deleted or retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly persists group chat questions, user nicknames, timestamps, and course-stage labels into a file, but provides no privacy notice, consent model, retention policy, or access-control expectations. In a group-chat context this can expose personal data and message content beyond participants’ expectations, creating compliance and confidentiality risk even if the feature is functionally intended.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal