Back to skill

Security audit

md2WeChat-python

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: converts Markdown for WeChat and can upload drafts and images to the configured WeChat account.

Install only if you intend to let the skill use your WeChat public-account credentials. Use --convert-only for local HTML conversion without upload, and use draft mode only for Markdown content and referenced images you are comfortable sending to WeChat. Keep any .env file private and rotate the WeChat secret if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly advertises automatic upload of local images and draft content to WeChat services, but it does not clearly warn users that article text, embedded images, and cover assets will be transmitted to an external platform. This can lead to unintended disclosure of sensitive local content or proprietary documents if a user assumes the tool only performs local conversion.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The CLI defaults to `--draft`, which causes article content and optional images to be sent to WeChat if credentials are present, without an explicit confirmation or prominent warning at the point of execution. In a security/privacy context, silent default transmission of local files to an external service is risky because users may expect local conversion unless they consciously opt in to upload.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.