Wechat MP Article Stats Comments Suite - 微信公众号管理套件

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent for WeChat public-account operations, but it combines powerful account-changing actions with under-scoped credential and cookie handling that users should review carefully.

Install only if you administer the affected WeChat public accounts. Keep AppSecret, WECHAT_MP_ACCOUNTS, and WECHAT_MP_COOKIE out of shared environments and logs, avoid setting WECHAT_MP_COOKIE globally, and only fetch trusted URLs when any cookie is present. Review every JSON request before running publish, delete, clone, comment moderation, or blacklist commands, especially when multiple accounts are configured.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The file goes beyond the documented draft-management scope by implementing cross-account cloning, fetching source draft contents, re-uploading media, and creating new drafts in other accounts. Expanding privileged behavior beyond the declared purpose increases the chance of unauthorized content propagation across all configured公众号 accounts if the skill is invoked unexpectedly or abused.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The clone path exposes draft creation through /cgi-bin/draft/add even though the module description only advertises listing, getting, deleting, and publishing drafts. Hidden write capability broadens the attack surface and can be used to plant content into target accounts without an operator realizing the skill supports creation.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The helper fetches arbitrary http/https URLs, optionally attaching a cookie from request input or environment, and then uploads the fetched bytes into WeChat. This creates an SSRF-style primitive and can leak internal network reachability or sensitive cookie-authenticated content, which is not necessary for ordinary公众号 draft administration.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill can fetch arbitrary external HTML, CSS, and images from user-supplied URLs, which expands it into a general-purpose web retriever beyond the stated公众号后台 scope. In an agent setting, this creates SSRF-style risk, unintended network access to internal resources, and a covert channel for sending cookies or metadata to attacker-chosen endpoints.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger description is broad and open-ended, covering vague phrases like '类似公众号后台操作时，使用本技能', which can cause the agent to invoke this skill for loosely related requests. Because the skill can access credentials, read/write local files, and perform external actions against WeChat APIs, accidental invocation could expose secrets, modify drafts/comments/users, or publish unintended content.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The delete command performs a destructive external action immediately once given a media_id, with no confirmation, dry-run mode, or contextual safeguard. In an agent setting, ambiguous prompts or prompt-injection-induced tool use could cause accidental or unauthorized draft deletion across configured accounts.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Submitting a draft for publishing triggers an external state change that may be difficult to undo, yet the command has no built-in warning, review step, or confirmation gate. In an autonomous-agent context this increases the risk of accidental publication of unreviewed or malicious content.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code forwards user-supplied or environment-provided cookies to arbitrary external URLs during HTML fetches. In an agent environment, that can leak authenticated session cookies to attacker-controlled hosts, enabling account compromise or unauthorized access on third-party sites.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Cover image download can include caller-provided or environment-derived cookies and sends them to any user-specified URL. This exposes authenticated session material to arbitrary hosts and is especially risky because image URLs are often treated as harmless by users and agents.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal