Back to skill

Security audit

Wjs Publishing Wechat

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a real WeChat publishing helper, but it needs review because it can use account credentials, send draft content to AI/image services, and create WeChat drafts with broad activation rules.

Install only if you trust the publisher and the unpinned external image-generation skill. Before using it, confirm which WeChat account credentials are configured, avoid confidential drafts unless you are comfortable sending article text to the image provider, and run upload-draft.sh only when you intentionally want to create a WeChat draft.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is framed as drafting/polishing assistance, but it also performs authenticated publication-side actions against the user's WeChat Official Account by uploading assets and creating drafts. This is a meaningful scope expansion from editing text to acting on an external account, which can surprise users and cause unintended content publication workflow changes.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The auto-sync hook that commits and pushes the skill to GitHub is unrelated to the stated purpose of preparing WeChat articles. Hidden repository mutation and outbound publication of local changes creates an unnecessary side effect that could leak prompts, configuration, or operational details beyond the user's intent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Automatic synchronization to GitHub is context-inappropriate for a writing/publishing helper and expands the attack surface without benefiting the core task. Because it introduces outbound network and repository actions in an unrelated workflow, it raises the risk of accidental data disclosure or unauthorized source changes.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The README advertises auto-fire on very broad phrases like '润色' and '准备发布', which can match common benign requests and cause the skill to activate in contexts the user did not intend. Because this skill can generate files and invoke local helper scripts that open apps and manipulate clipboard/browser state, overly broad triggering increases the chance of unexpected side effects and unsafe delegation.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The README describes a 'one-command upload helper' and later notes it will open a browser, reveal files in Finder, and push HTML to the clipboard, but it does not clearly foreground these as local side effects or warn that existing clipboard contents will be overwritten. That omission can mislead users into invoking the helper without understanding it will modify local application state, which is especially relevant for an auto-fired skill.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases are broad and overlap with ordinary writing requests such as polishing or drafting, increasing the chance this higher-authority workflow activates when the user only wanted editing help. Given the skill can create files, invoke external generators, and later publish drafts, overbroad activation materially increases risk.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Allowing directory context alone to trigger the skill is unsafe because mere presence in a workspace can cause the agent to assume publication-oriented behavior. In a folder containing drafts or sensitive notes, this can lead to unintended file creation, image generation, or upload preparation without a clear user request.

Missing User Warnings

High
Confidence
98% confidence
Finding
The instructions direct the agent to upload images and create drafts in the user's WeChat backend without an explicit confirmation checkpoint immediately before the network action. Because these are authenticated external side effects against a real account, lack of a warning/consent gate can cause unauthorized or accidental publication preparation.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill automatically sends article title/content to an external AI image-generation workflow, including passing the full article as instructions for illustration generation, without a privacy notice or consent step. Drafts may contain unpublished, proprietary, or sensitive information, so silent transmission to third-party services creates a real confidentiality risk.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill automatically creates and may overwrite multiple files in the user's workspace as part of its default flow, but the documentation does not require a warning or confirmation before modifying disk state. This can unexpectedly alter a working directory, clobber previous outputs, or create publication artifacts the user did not intend to persist.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends the full article content to an external image-generation wrapper via the --instructions argument, which can expose unpublished drafts, sensitive business material, or personal data to a third-party service. In a publishing skill, this data flow is expected for functionality, but the lack of an explicit user-facing notice, consent gate, or data-sensitivity check makes it a real privacy/security weakness rather than a purely theoretical concern.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.