Back to skill

Security audit

Baoyu Wechat Summary

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it needs unsandboxed access to private WeChat data and creates long-lived local chat summaries, histories, and participant profiles.

Install only if you are comfortable granting the agent unsandboxed local access to WeChat data and creating durable local archives of group conversations and participant profiles. Before use, choose a data_root you can manage, review who may access those files, and manually delete histories/profiles/memory when no longer needed. Avoid using it on groups where members would not expect their messages to be summarized and profiled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill explicitly requires running every `wx` command with sandbox protections disabled so it can access `~/.wx-cli` and the WeChat data directory outside the agent sandbox. That materially expands the agent's filesystem reach into sensitive private chat data, making any downstream prompt-injection, parsing error, or misuse more damaging than a sandboxed skill.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill is designed to read private WeChat chats and persist derived artifacts such as digests, profiles, and memory files, but the top-level trigger/description does not require a clear up-front privacy notice or consent checkpoint. That increases the chance of users unintentionally exposing sensitive conversation content and creating local archives they did not expect.

Ssd 3

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to scan recent sessions to auto-discover the user's own `self_wxid` and display name, then persist them into configuration. This collects and stores account identifiers from private chat metadata without a strict need for prior informed consent, increasing privacy exposure and broadening the scope of accessed data beyond the requested group summary.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill maintains long-lived per-user profiles and a group memory file derived from chat content across runs. Persistent profiling of identifiable participants materially raises privacy risk, can accumulate sensitive inferences over time, and creates a durable local dataset that could be exposed or misused beyond the original summarization request.

Ssd 3

Medium
Confidence
93% confidence
Finding
Appending digest history and updating profile records on every run creates an ongoing archive of conversation-derived data, increasing sensitivity and blast radius over time. Even if intended for convenience, continuous accumulation of private chat summaries and metadata creates a meaningful confidentiality risk if the local files are accessed by other tools, users, or future workflows.

Ssd 3

Medium
Confidence
97% confidence
Finding
The instructions explicitly require preserving and reproducing personally identifying chat content, including real names, verbatim quotes, URLs, gossip, and prior-profile continuity across runs. In a summarization skill with persistent history/profile memory, this materially increases the risk of privacy leakage, over-retention, and downstream disclosure of sensitive interpersonal data to users who may not have a need to see it.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.