Back to skill

Security audit

WeCom Task Manager

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real WeCom task manager, but it can change or delete live task data and contains an unsafe command-execution pattern that needs review before installation.

Review before installing. Use only with a trusted publisher and a dedicated WeCom sheet, replace the shell=True mcporter calls with argv-based subprocess calls, require explicit confirmation for delete_task and delete_goal, and do not rely on AGENT_ID alone as an authorization boundary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""执行 mcporter 命令"""
    args_json = json.dumps(args_dict, ensure_ascii=False)
    cmd = f'{MCPORTER_PATH} call wecom-doc.{command} --args \'{args_json}\' --output json'
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    
    if result.returncode != 0:
        print(f"Error running mcporter: {result.stderr}")
Confidence
98% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for attempt in range(1, max_retries + 1):
        args_json = json.dumps(args_dict, ensure_ascii=False)
        cmd = f'{MCPORTER_PATH} call wecom-doc.{command} --args \'{args_json}\' --output json'
        result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
        
        if result.returncode == 0:
            try:
Confidence
98% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly documents `delete_task()` and `delete_goal()` operations, including cascading deletion of associated tasks, but provides no confirmation flow, soft-delete guidance, authorization re-check, audit requirement, or recovery instructions. In an agentic environment where actions may be triggered from natural-language requests or relayed through other agents, this makes accidental or unauthorized destructive actions materially more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation exposes create and update APIs that directly modify remote task records, including status transitions and completion fields, but does not clearly warn that these operations have side effects on live enterprise data. In an agent skill context, omission of explicit mutation warnings can cause an LLM-driven workflow or user to invoke these functions assuming they are informational, leading to unintended state changes, incorrect ownership, or premature completion of tasks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The heartbeat example iterates over all pending tasks and automatically starts them, performing bulk remote state changes without any warning, filtering, approval step, or rate limiting. In an autonomous agent environment this is especially risky because a copied example can mass-transition task state, assign owners automatically, and create false operational signals across many live records.

Missing User Warnings

High
Confidence
72% confidence
Finding
`delete_task` performs an irreversible remote deletion once called, with no confirmation, soft-delete, or secondary authorization. In an agentic environment, accidental invocation, prompt misuse, or compromised upstream logic can destroy records immediately, causing integrity loss and operational disruption.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.