Wechat Articles Spider

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly what it claims to be, but it handles WeChat session credentials and payments in ways users should review carefully before installing.

Install only if you are comfortable using a dedicated WeChat account, storing reusable session credentials locally, and reviewing the payment address and verification behavior yourself. Do not use a primary WeChat account, do not commit weixin_credentials.py, restrict file permissions, delete credentials after use, and enable on-chain verification before relying on paid flows.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 83% confidence
Finding: The documented purpose understates several sensitive behaviors: persistent storage of WeChat credentials, retention of user/payment/task records, and blockchain verification logic. This matters because users may consent to a simple article crawler without realizing it creates durable local credential/session artifacts and billing records, increasing privacy and credential-exposure risk if the host is compromised or files are mishandled.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The README explicitly states that login token and cookie credentials are saved locally for reuse, but the manifest does not disclose credential capture or persistence. Because these credentials may grant continued access to a WeChat account, undocumented storage materially increases the risk of account compromise, unauthorized reuse, and unsafe handling by users who do not realize sensitive session data is being retained.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: This file implements a full on-chain USDC payment verification subsystem for Base, which is materially outside the stated purpose of a WeChat article crawler. In a skill ecosystem, hidden or under-disclosed payment logic increases supply-chain risk because it can enable billing, payment gating, or financial workflow changes that users and reviewers would not reasonably expect from the advertised functionality.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill automates WeChat admin login, extracts session token/cookies, and preserves them for later reuse. That materially expands capability from article crawling to credential capture and account session reuse, which is dangerous because those credentials can enable broader authenticated actions against the WeChat admin interface if exposed or repurposed.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code dynamically imports a local Python file as credentials, which executes arbitrary Python code during loading rather than safely parsing data. If an attacker can modify or replace that file, they gain code execution in the context of the skill, making this a serious local code-execution risk.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The default verification path accepts any payment proof that passes superficial field checks and then returns true without validating the transaction on-chain. In practice, an attacker can fabricate a JSON token with a matching nonce and sufficient amount and obtain paid access without making any real payment.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The README instructs users to keep a local file containing token and cookie information without clearly warning that these are sensitive authentication artifacts. If stored in plaintext or in a broadly accessible working directory, anyone with local access, malware, backups, or accidental source-control commits could reuse the session and hijack the account.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The crawler writes reusable WeChat token and cookie values to disk in plaintext, creating a durable secret store that can be read by other local users, malware, backups, or logs. Because these are live session credentials, exposure can lead to account takeover or unauthorized use of the authenticated WeChat admin session.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Printing token and cookie values to the console exposes secrets to terminal history, log collectors, CI output, screen recordings, or shoulder surfing. These credentials appear reusable, so accidental disclosure can directly compromise the authenticated session.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Echoing full token and cookie values after saving duplicates the exposure risk and increases the number of places where secrets may be captured. In an environment with logs, shared terminals, or observability tooling, this can leak active session material beyond the intended user.

Session Persistence

Medium

Category: Rogue Agent
Content: **"Payment expired"** - Payment requests expire after 5 minutes - Create a new crawl request ### Crawl Issues
Confidence: 88% confidence
Finding: Create a new crawl request ### Crawl Issues **"WeChat login failed"** - Close VPN before running - Delete `weixin_credentials.py` and retry - Use a different WeChat account (small accounts have lowe

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal