Weixin Video Publish

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is clearly for publishing videos to Weixin Channels, but users should treat the final publish step as account-sensitive.

Install this only if you want an agent to help publish real videos to a Weixin Channels account. Before allowing the final publish action, verify the logged-in account, video file, title, description, tags, location, visibility setting, and that any originality declaration is true.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrase and example invocation are broad enough to match ordinary user requests like '帮我发布视频到视频号', which can cause the skill to activate during routine conversation without sufficient confirmation. Because this skill performs a real browser-driven publishing action to a live platform, accidental invocation could lead to unintended uploads or posts under the user's authenticated account.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill description explains functionality but does not prominently warn that it will perform an actual publication action on the user's behalf using an already logged-in WeChat account. In this context, omission is dangerous because users may interpret the skill as drafting or assisting rather than directly posting content, increasing the risk of unauthorized or accidental public distribution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal