Back to plugin

Security audit

WeChat Channel P2P

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real WeChat P2P channel, but it stores account tokens and can run recurring automatic broadcasts, so it should be reviewed before use.

Review this carefully before installing. Use it only if you trust the publisher, prefer a dedicated WeChat account, set a real TURN_SHARED_SECRET if using TURN, pin or review the npx installer, and disable or tightly configure the 30-minute broadcast feature unless you explicitly want automated outbound P2P/WeChat broadcasts.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution, suspicious.env_credential_access (+1 more)

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
build.cjs:9
Evidence
execSync('npx tsc --skipLibCheck', {

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
dist/p2p/broadcast-security.js:325
Evidence
'<script', 'javascript:', 'eval(', 'document.cookie',

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
dist/p2p/security/constants.js:120
Evidence
'eval(',

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
dist/p2p/security/detectors/xss-detector.js:125
Evidence
'onclick=', 'onmouseover=', 'eval(', 'document.cookie'

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
src/p2p/broadcast-security.ts:481
Evidence
'<script', 'javascript:', 'eval(', 'document.cookie',

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
src/p2p/security/constants.ts:137
Evidence
'eval(',

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
src/p2p/security/detectors/xss-detector.ts:158
Evidence
'onclick=', 'onmouseover=', 'eval(', 'document.cookie'

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/p2p/turn-credential-manager.js:83
Evidence
fallbackSecret: process.env.TURN_SHARED_SECRET || 'local-dev-secret-key-2024',

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/p2p/turn-credential-manager.ts:107
Evidence
fallbackSecret: process.env.TURN_SHARED_SECRET || 'local-dev-secret-key-2024',

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/api/api.js:76
Evidence
logger.debug(`requestHeaders: ${JSON.stringify({ ...headers, Authorization: [REDACTED] ? "Bearer ***" : undefined })}`);

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/api/api.ts:118
Evidence
`requestHeaders: ${JSON.stringify({ ...headers, Authorization: [REDACTED] ? "Bearer ***" : undefined })}`,

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/p2p/__tests__/edge-cases.test.ts:107
Evidence
password: '[REDACTED]',

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/p2p/__tests__/unit.part1.test.ts:246
Evidence
password: '[REDACTED]',