Security audit

wecom-meeting

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it manages Enterprise WeChat meetings, but it needs company WeCom credentials and can create or cancel real meetings.

Install only if you want an agent to manage Enterprise WeChat meetings. Use a dedicated least-privilege WeCom app, protect ~/.wecom/config.json, confirm meeting IDs and attendee details before actions, avoid --force unless you intentionally want to cancel that meeting, and do not run the API module’s diagnostic test in shared terminals or CI logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill documentation instructs users to store credentials in a local config file and use scripts that perform file reads and network calls, but it does not declare corresponding permissions. Undeclared capabilities reduce transparency and can cause the agent to access local secrets or external services without the normal review expectations, which is especially relevant because this skill handles corporate API credentials and meeting-management actions.

Context-Inappropriate Capability

Low

Confidence: 89% confidence
Finding: The module silently reads WeCom credentials from ~/.wecom/config.json when explicit credentials are not provided. In a skill context, implicit local secret discovery expands the trust boundary and can cause the skill to access sensitive enterprise credentials without clear user awareness, which is risky even if intended for convenience.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The test block prints CorpID, AgentID, and a prefix of the access token to stdout. Credential material and token fragments can leak into terminal history, logs, CI output, or agent telemetry, enabling unauthorized API use or aiding further secret recovery.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The skill includes a cancellation workflow for meetings but provides no warning, confirmation guidance, or safety note that cancellation is destructive and affects all attendees. In a meeting-management context, this increases the chance of accidental or socially engineered destructive actions that disrupt schedules and business operations.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: Reading credentials from a local config file without any user-facing warning or consent is a real security concern in an agent skill. It can surprise users by accessing sensitive local secrets unrelated to the immediate prompt flow and makes credential exposure harder to reason about.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal