wechat-miniprogram-dev

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward WeChat Mini Program development/deployment helper, but users must protect the referenced signing key and verify deployment targets before running commands.

Install only if you intend to work on and deploy a WeChat Mini Program. Before using it, replace the sample project identifiers, keep the private key out of source control, restrict key file permissions, prefer secret storage or protected CI variables, and manually confirm AppID, cloud environment, function name, version, and upload description before running deployment commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation exposes a concrete private key file path together with fully formed deployment and preview commands that consume that key, which normalizes direct handling of sensitive signing credentials and increases the chance of accidental disclosure or misuse. In the context of a deployment skill for a real WeChat Mini Program, these details materially lower the barrier for someone with workspace access to locate and use the credential for unauthorized builds, previews, or releases.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal