Security audit

微信文章读取

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to read WeChat articles, but its script can execute unintended shell commands from a crafted URL.

Review before installing. This does not look intentionally malicious, but it should be fixed before routine use: replace shell=True with a safe HTTP client or subprocess argument list, require HTTPS mp.weixin.qq.com URLs only, and document the network and dependency requirements.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (5)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: cmd += f' "{url}"' import subprocess result = subprocess.run(cmd, shell=True, capture_output=True, text=True) if result.returncode != 0: return f"Error fetching URL: {result.stderr}"
Confidence: 99% confidence
Finding: result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill invokes a shell command (`python3 scripts/read_weixin_article.py ...`) but does not declare any permissions, creating a mismatch between advertised and actual capabilities. This weakens review and sandboxing expectations and can enable unexpected network/process execution when the skill is triggered.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill's declared function is reading WeChat articles, but it unnecessarily invokes a shell to do so. Because the shell command includes attacker-controlled input, this unjustified capability creates arbitrary command execution risk and can lead to full system compromise rather than simple content retrieval.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The auto-activation description is broad enough to trigger on general references to WeChat articles or content extraction, which can cause the skill to run in contexts the user did not clearly intend. Because the skill performs shell-backed retrieval of remote content and claims to bypass anti-scraping restrictions, unintended activation materially increases security and policy risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script executes a shell command derived from a user-provided URL without any warning, confirmation, or validation. In an agent skill context, this lowers the barrier for exploitation because untrusted user input can directly trigger backend command execution during normal use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal