Back to skill

Security audit

Baoyu Post To Wechat

Security checks across malware telemetry and agentic risk

Overview

This WeChat publishing skill appears purpose-related, but it handles login material, browser sessions, clipboard input, and remote publishing in ways users should review before installing.

Review this skill carefully before installing. Use it only in a dedicated browser profile and WeChat account context, avoid enabling Telegram QR forwarding unless you fully control the bot and chat, treat .env and EXTEND.md as sensitive, and do not use remote SSH publishing unless you trust the remote host and understand that drafts, credentials, and session traffic may pass through it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This script sends real OS-level paste keystrokes to whatever application is frontmost, and on macOS can explicitly activate an arbitrary application by name before injecting the paste. That capability is broader than the stated WeChat-posting purpose and can cause clipboard contents to be inserted into unintended apps, including terminals, password fields, chat tools, or other privileged contexts if focus is wrong or manipulated.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill captures the WeChat login QR code and sends it to Telegram whenever TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID are present, without requiring explicit per-run user consent. A login QR is an authentication artifact; forwarding it to a third-party channel can let another party scan it, hijack the login flow, and also leaks sensitive account access metadata outside the intended WeChat/Chrome context.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code uses Telegram, an unrelated third-party messaging service, to transmit WeChat authentication material. Crossing trust boundaries in this way increases exposure to bot-token compromise, chat misconfiguration, unauthorized recipients, and platform-side retention, making account takeover or credential abuse materially more likely.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The tests demonstrate undocumented support for remote publishing via SSH-style configuration fields such as remote_publish_host, identity_file, known_hosts, proxy_jump, and host key checking. This expands the skill’s operational scope beyond the stated WeChat API/CDP workflows, creating hidden network-capable behavior that could be abused for outbound connections, credential use, or lateral movement if the underlying feature is invoked.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow states that guided setup writes API credentials to a local .env file but does not warn users that secrets will be stored on disk. Secret persistence without clear disclosure increases the chance of accidental exposure through backups, repository commits, permissive file permissions, or other local compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The troubleshooting guidance suggests sending the WeChat login QR image through Telegram using TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID, but does not warn that this shares login-related material with a third party. Even if it is 'just a QR,' it is authentication-adjacent data and could be intercepted, retained, or mishandled outside the expected trust boundary.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation describes automated selection, deletion, scrolling, and paste operations inside the WeChat editor without warning the user that the browser will perform destructive editing actions. In a browser-automation skill, omission of this warning can cause users to run the workflow in the wrong tab, wrong draft, or wrong account context, leading to unintended content deletion or modification.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup flow explicitly normalizes collecting and storing remote publishing and account-related configuration, including fields that may lead users to place sensitive secrets such as WeChat App ID/App Secret and SSH identity file paths into EXTEND.md, but it provides no warning about credential sensitivity, storage location risk, file permissions, or safer secret-handling alternatives. In a publishing skill that writes preferences to project or user directories, this increases the chance that credentials are stored in plaintext, committed to source control, or exposed to other local users or tools.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code launches Chrome with a persistent profile directory, which gives the automation session access to existing browser state such as cookies, logged-in sessions, saved drafts, and other local profile data. In this skill's context—automating WeChat publishing—that is operationally useful, but without a clear user-facing warning or isolation controls it increases the chance of unintended access to sensitive account data or accidental actions under the user's identity.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill supports routing publication through an SSH tunnel to a remote host, which can cause article content and API authentication traffic to traverse infrastructure outside the local machine. In the context of a publishing skill that handles account credentials and unpublished content, enabling remote transit without a strong trust boundary warning increases the risk of unintended disclosure or operator misconfiguration.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The QR image is sent to Telegram based solely on environment variables, and the operator only sees a vague log message after the behavior is already wired into the workflow. Lack of an operation-site warning and explicit opt-in makes accidental disclosure of authentication artifacts more likely, especially in shared automation environments where env vars may be preconfigured.

Missing User Warnings

Low
Confidence
96% confidence
Finding
The code logs the full SSH command line, which can expose sensitive operational details such as the remote username/host, port, proxy jump target, known-hosts path, and especially the private key file path. While it does not print key contents, these details may be captured in logs, terminals, CI output, or telemetry and can aid reconnaissance or leak user environment information.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/cdp.ts:51

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/copy-to-clipboard.ts:62

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/paste-from-clipboard.ts:107

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/wechat-api.ts:441

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/wechat-article.ts:443

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/wechat-remote-publish.ts:185

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/wechat-article.ts:38