WeChat MP Reader FZX

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it fetches a user-provided WeChat article and saves a Markdown copy locally, with no evidence of hidden or malicious behavior.

Install only if you are comfortable with the skill making network requests to fetch article pages and writing Markdown files locally. Use a dedicated output folder to avoid accidental overwrites, and provide only article URLs you intend the tool to retrieve.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger conditions are broad enough to match generic requests about reading, downloading, saving, or archiving WeChat articles, without clear exclusions or confirmation steps. This can cause the skill to activate unexpectedly in adjacent contexts, leading to unintended network fetches and local file creation, especially because the skill has data retrieval and write capabilities.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal