Back to skill

Security audit

微信公众号自动发布器

Security checks across malware telemetry and agentic risk

Overview

This skill is openly meant to create and publish WeChat content, but it combines broad activation, credential-backed external actions, and unsafe command execution patterns that need review before installation.

Install only if you intend this agent to use configured search, image-generation, and WeChat credentials. Keep it draft-only unless you personally approve the final WeChat action, avoid sensitive unpublished material, do not paste or print .env contents, and review/patch the shell command construction before using untrusted topics or filenames.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The README claims '每步用户确认' while also marketing the skill as an end-to-end automatic flow that writes, generates images, and publishes to a public WeChat account. This mismatch can cause operators to assume there is a human approval gate when the documented workflow may proceed to external API calls and publication, increasing the risk of unintended disclosure or accidental public posting.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README promotes a workflow that automatically publishes content to a live WeChat official account, but the nearby guidance does not clearly warn users that this changes external account state and may publish public-facing content. In an agentic context, lack of an explicit confirmation/approval warning increases the risk of unintended posting, reputational damage, or accidental disclosure through automated actions.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The documentation instructs users to place API keys in .env files but does not clearly warn about secret handling, least privilege, file permissions, or avoiding commits/logging. While this is common setup guidance, omission of basic credential-safety advice can lead to accidental exposure of cloud and account credentials.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase ('帮我写一篇关于...的文章,发布到公众号') is broad and resembles an ordinary user request rather than a clearly delimited administrative command. In an agent setting, this raises the chance of accidental activation of a workflow that performs external searches, content generation, image generation, and publishing without the user understanding the side effects.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README describes a fully automated pipeline that sends prompts and content to external services and ultimately publishes to a WeChat public account, but it does not place a prominent user-facing warning at the point of use about data transmission, third-party processing, and public publication risk. This is dangerous because users may provide sensitive drafts or internal topics that are then transmitted or publicly posted unintentionally.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to match ordinary writing requests such as 'write an article' or 'help me write a public account post,' but this skill does much more than drafting text: it performs searches, generates images, and can publish externally. Overbroad activation increases the chance that a user asking for simple assistance unintentionally triggers a workflow with outbound actions and credential-backed publication.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The visible skill description and early sections do not adequately disclose that the workflow will execute external searches, call a separate image-generation skill/API, and publish to a WeChat account using configured credentials. This lack of prominent disclosure undermines informed consent and makes accidental data exfiltration or unintended publication more likely, especially because the skill advertises itself primarily as article creation.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The example trigger phrase is very broad: a generic request to write an article and publish it could cause the skill to activate in situations where the user did not intend full end-to-end automation. Because this skill performs consequential actions such as content generation, image generation, and publishing to a WeChat draft box, ambiguous activation increases the risk of unintended execution and accidental publication workflows.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The usage flow says users can simply tell OpenClaw to write an article on a topic and publish it, but it does not define boundaries for when the skill should or should not activate. In an agent environment, underspecified routing can cause this skill to trigger on ordinary conversational requests and proceed toward external side effects using stored credentials.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script launches a child process with the entire parent environment copied into it via `env: { ...process.env }`. This can expose secrets such as API tokens, session cookies, or publishing credentials to the downstream script and any tools it invokes, increasing the blast radius if that script is compromised or logs its environment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
User-controlled input is interpolated into a shell command passed to execSync, creating a command injection risk if the query contains shell metacharacters or quote-breaking payloads. Because the process inherits the full environment and runs a Python helper, successful injection could execute arbitrary commands and access sensitive local data or tokens.

Credential Access

High
Category
Privilege Escalation
Content
cat ~/.openclaw/.env

# 或检查 Skill 目录配置
cat ~/.openclaw/workspace/skills/wanx-image-generator/.env

# 测试生成
cd ~/.openclaw/workspace/skills/wanx-image-generator
Confidence
76% confidence
Finding
.env

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/publish.js:37

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/search.js:27