Back to skill

Security audit

WeChat Post with GPT Image-2

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a WeChat marketing poster generator, but it exposes review-worthy network, credential, and data-retention risks.

Review before installing. Prefer polling over callback mode; if callbacks are needed, bind only to localhost or a protected interface, add authentication, and clean the callback directory after use. Confirm which image provider and model your credential files will use, and avoid entering sensitive business details, private phone numbers, or QR codes unless you are comfortable storing them in generated files and sending prompt content to external image services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The documentation instructs cloning an external GitHub repository at runtime to obtain prompt templates. Pulling remote content into the execution environment introduces supply-chain risk and makes outputs depend on mutable third-party content that is outside the skill's trust boundary.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill instructs operators to start a callback server and expose a callback URL for asynchronous results. Opening a listener on 0.0.0.0 and accepting external POSTs creates an unnecessary inbound attack surface for a content-generation skill and may permit unsolicited traffic, spoofed callbacks, or sensitive payload capture.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This file implements a persistent HTTP callback server bound to 0.0.0.0 that accepts arbitrary inbound requests and stores their contents on disk, behavior that is unrelated to the stated WeChat marketing content generation purpose. Even if intended for debugging or integration, exposing an unauthenticated listener that captures external data materially expands the attack surface and can be abused for data collection, unauthorized ingress, or unexpected persistence of sensitive payloads.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill contains undisclosed behavior that runs a local web service and saves incoming request data and headers to disk, which is not reflected in the manifest description. Hidden network-facing functionality is dangerous because users and reviewers cannot accurately assess the skill’s runtime behavior, and such a service can be used as an unintended ingress point or for covert collection of operational data.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script accepts a user-supplied callback URL and forwards it directly to a third-party API, effectively enabling arbitrary outbound webhook behavior. In a skill intended for WeChat marketing content generation, this expands capability beyond the expected scope and can be abused for data exfiltration, SSRF-style callback targeting, or triggering requests to attacker-controlled endpoints via the external service.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script reads a URL from task result metadata and downloads it to an arbitrary output path without validating the destination host, scheme, content type, or size. In the context of a WeChat copywriting skill, this network download behavior is not clearly necessary and increases the risk of SSRF-style access to internal resources, retrieval of attacker-controlled files, or abuse of the agent as an untrusted fetcher.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill asks for phone numbers, QR-code settings, and file paths, then states these are stored on disk, but it does not warn users about this persistence. Silent retention of personal contact details and local path information increases privacy risk and can expose sensitive metadata if the workspace is shared or later exfiltrated.

Missing User Warnings

High
Confidence
96% confidence
Finding
The callback workflow exposes a network endpoint and sends task results to an external URL without a prominent user warning. This is dangerous because users may unknowingly publish a reachable service and route generated content or metadata through external infrastructure, creating confidentiality and attack-surface concerns.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The POST handler writes arbitrary request bodies plus all request headers to disk without authentication, consent, redaction, or retention controls. This can persist sensitive information such as tokens, cookies, personal data, or internal callback payloads, turning the skill into a data sink that increases privacy, credential exposure, and forensic risk if the host is accessed or logs are reused.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends user-supplied marketing text, pricing, and related business content to a third-party image-generation API, but it does not clearly disclose that this data leaves the host or obtain explicit consent at the point of use. In an agent skill context, users may reasonably assume local processing, so this creates a real data-handling and privacy risk, especially if sensitive business, campaign, or personal information is included in prompts.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill explicitly collects personal contact details and QR-code preferences and persists them into output files and retained state. In a marketing-content skill, this raises the sensitivity because the data is not merely transient input for rendering; it is stored in workspace artifacts that may be reused, shared, or exposed beyond the user's immediate intent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.