Wechat Image Generator

Security checks across malware telemetry and agentic risk

Overview

This skill generates local WeChat-style article images as described, with disclosed local file and browser steps but some implementation cautions.

Install only if you are comfortable running local Python commands that create HTML files and use a browser for screenshots. Use trusted, simple file paths, avoid serving sensitive content with the local server, and stop the server when finished. Maintainers should replace shell=True subprocess calls with argument-list calls and make browser/file side effects clearer in the manifest.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (5)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # Open in browser open_cmd = f'browser open --url "{file_url}"' result = subprocess.run(open_cmd, shell=True, capture_output=True, text=True) if result.returncode != 0: print(f"❌ Failed to open browser: {result.stderr}")
Confidence: 98% confidence
Finding: result = subprocess.run(open_cmd, shell=True, capture_output=True, text=True)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill advertises and documents shell execution, file writes, and browser-driven screenshot generation, but it declares no corresponding permissions or user-visible guardrails. This creates a capability transparency gap: an agent may invoke code that writes files and opens a browser without the user understanding the side effects, increasing the risk of unintended local actions or abuse if inputs are attacker-controlled.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The skill drives an external browser CLI through shell subprocesses to open attacker-influenced local content. In an image-generation skill, rendering arbitrary HTML can trigger unexpected network access, local file rendering side effects, or browser-tool abuse, increasing the attack surface beyond simple image generation.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The manifest uses broad trigger terms like generic requests for covers, comparison images, and article images, which can cause the skill to activate for common user intents where browser automation and file output were not expected. Over-broad routing increases the chance of unintended execution of privileged behaviors, especially in agentic systems that auto-select skills from descriptions.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill description highlights convenience and low token cost but does not prominently warn that execution opens a browser and auto-saves screenshots to disk. Hidden side effects are dangerous because users and orchestrators may treat the skill as a simple content generator while it actually performs local actions that can expose rendered sensitive data in screenshots or leave unexpected artifacts on disk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal