Back to skill

Security audit

Wechat Use

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real WeChat automation skill, but it needs review because it can read and send WeChat messages and its documentation understates optional off-device sharing risks.

Install only if you are comfortable giving a third-party tool access to your local WeChat databases, DB decryption key, contacts, chat history, media, and message-send capability. Avoid tunnel, orchestrate, AI assistant, and webhook modes unless you set strong authentication, limit chats and message types, and trust every destination receiving the data. Inspect or pin the installer instead of blindly running the remote shell script, protect the cached key files like passwords, and keep usage limited to your own account and lawful personal automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill claims that everything runs '100% locally' and that 'no data leaves the machine', but elsewhere it documents Cloudflare Tunnel exposure, SaaS outbox/webhook orchestration, and generic webhook forwarding. That mismatch can mislead operators into enabling remote integrations under a false privacy assumption, causing unintentional disclosure of chat contents or metadata.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The top-level description promotes `wechat-use tunnel setup --hostname <yours>` but does not immediately warn that this changes the trust boundary from localhost-only access to remotely reachable access via Cloudflare Tunnel. Users may treat it like a harmless convenience feature and expose sensitive messaging operations without understanding the added attack surface.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The trigger examples encourage auto-reply and forwarding inbound WeChat messages to AI assistants or webhooks without an immediate privacy warning. That normalizes broad transmission of potentially sensitive private/group content to third parties and may lead operators to deploy unsafe automations by copy-paste.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill explicitly suggests piping inbound WeChat content into arbitrary shell handlers and external webhooks/AI assistants. Even if technically intentional, this broad forwarding pattern can exfiltrate personal communications, group messages, attachments, and metadata to untrusted third parties with little guardrail in the documented flow.

External Script Fetching

Low
Category
Supply Chain
Content
| `delivery_verify_timeout` / `slot_send_bp_armed_no_fire` | WeChat (re)launched but its internal send pipeline not yet wired | Tell user: open WeChat → click 「文件传输助手」→ type any message → press Enter. Then retry `wechat-use send`. (See Step 4 above.) |
| `wechat_not_running` | WeChat.app not launched | Run `open -a WeChat`. If from a non-aqua SSH session, fall back to `osascript -e 'tell application "WeChat" to activate'`. Wait ~5s before retrying. |
| `slot_send_bp_failed_to_arm` (detail: `send adapter install did not complete within 30s`) | WeChat has `get-task-allow=false` (official default signing); wechatd's local debugging interface can't connect | Run `wechat-use doctor` to confirm `wechat_get_task_allow ✗`. Then ask the user to copy-run the **merge-mode re-sign block** that `install.sh` prints (or `wechat-use doctor` suggests). Needs sudo, must be run by the user. Do NOT use a replace-mode `codesign --entitlements ...` command — it strips WeChat's existing system entitlements and breaks TCC for WeChat itself. |
| `daemon_accessibility FAIL` / `ax_trusted=false` after a recent install/upgrade | Multiple `ai.wechat.*` LaunchAgents on the machine — orchestrate (KeepAlive) re-spawned wechatd with a stale launchd responsibility chain | Re-run `curl -fsSL https://raw.githubusercontent.com/leeguooooo/wechat-use/main/install.sh \| bash`. v1.16.12+ install.sh bootouts every `ai.wechat.*.plist` and bootstraps in the right order. Don't try to surgically `launchctl kickstart` — it doesn't reset the responsibility chain. |
| `tcc_accessibility_denied` (wechat-bridge or wechatd untrusted) | User hasn't dragged binaries into System Settings → Privacy & Security → 辅助功能, or dragged them but didn't toggle ON | Open the pane: `open "x-apple.systempreferences:com.apple.preference.security?Privacy_Accessibility"` + `open ~/.local/bin`. Tell user to drag both `wechatd` and `wechat-bridge` in **and** toggle both to ON. macOS strictly requires user-initiated drag — no automation ca
...[truncated 25 chars]
Confidence
91% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/leeguooooo/wechat-use/main/install.sh \| bash

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:156