Security audit

Weflow Group Summarizer

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent WeChat group summarization purpose, but its optional unauthenticated LAN proxy and private chat/media handling need careful review before installation.

Install only if you control the WeFlow account and have permission to summarize the selected groups. Avoid the proxy unless needed; if used, run it only on a trusted network, restrict firewall access to the intended machine, and understand that it can expose WeFlow chat/media endpoints over the LAN. Pin dependencies to current patched versions and keep the config and downloaded images in a private directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill performs network access, reads local files, and writes configuration without declaring permissions or presenting explicit user-consent boundaries. In practice this can cause the agent to access local data and remote services more broadly than a user expects, especially because the workflow includes reading exported member files and image paths from message output.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The proxy explicitly listens on 0.0.0.0:5032, exposing the local WeFlow API to any host that can reach the machine over the LAN. In a skill intended for WeChat group summarization and API setup, this materially broadens the attack surface and could allow unauthorized access to backend functionality if no additional authentication or network controls exist.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger description is broad enough that the skill could be invoked for general WeChat monitoring or heartbeat-related requests without clear user intent. That increases the chance of unintended execution of file/network operations and summarization of potentially sensitive group chats.

Missing User Warnings

Low

Confidence: 76% confidence
Finding: The instructions tell the agent to copy and later modify a configuration file in a user-specified location, but they do not warn that this changes persistent local state. Even if limited, silent config creation or modification can surprise users and may overwrite or expose sensitive paths if mishandled.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The heartbeat flow instructs the agent to read image files from local paths found in chat message output and summarize their contents, but provides no privacy warning or path restrictions. This creates a direct local-file access risk because chat-derived paths could expose sensitive images or be abused to induce reading unintended files on the host.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The API documentation describes retrieving chat messages, exporting media to disk, and serving exported media over HTTP, but provides no explicit privacy warning, consent guidance, retention limits, or handling requirements for potentially sensitive personal communications. In a skill centered on monitoring and summarizing WeChat groups, this omission is more dangerous because the data category is inherently private and may include images, voice, and identifiers, increasing the chance of accidental over-collection or disclosure.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Binding the proxy to all interfaces without a strong, explicit warning or consent mechanism can cause operators to unknowingly expose an internal API service to other devices on the network. In this skill context, that makes group-monitoring or summarization infrastructure reachable beyond the local host, increasing the chance of unauthorized use or data exposure.

Unpinned Dependencies

Low

Category: Supply Chain
Content: pyyaml openpyxl
Confidence: 92% confidence
Finding: pyyaml

Unpinned Dependencies

Low

Category: Supply Chain
Content: pyyaml openpyxl
Confidence: 91% confidence
Finding: openpyxl

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical

Category: Supply Chain
Confidence: 98% confidence
Finding: pyyaml

Known Vulnerable Dependency: openpyxl — 2 advisory(ies): CVE-2017-5992 (Improper Restriction of XML External Entity Reference in Openpyxl); CVE-2017-5992 (Openpyxl 2.4.1 resolves external entities by default, which allows remote attack)

High

Category: Supply Chain
Confidence: 96% confidence
Finding: openpyxl

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal