Security audit

Fetch Wechat Article

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its stated WeChat article-fetching purpose, but its script can run a stealth browser against any HTTP/HTTPS site, so it should be reviewed before installation.

Install only if you are comfortable giving the skill a real-browser web-fetching capability. Use it only with public WeChat article URLs and trusted output folders; avoid passing internal, localhost, account, or private URLs until the script enforces a strict mp.weixin.qq.com allowlist.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documentation describes capabilities that write files to disk and may inspect or depend on environment/runtime conditions, but it does not declare corresponding permissions. Undeclared capabilities weaken review and enforcement because operators may approve or run the skill without understanding that it can persist data locally, which increases the chance of unauthorized data handling or policy bypass.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The skill metadata says it is specifically for fetching `mp.weixin.qq.com` public articles, but the CLI accepts any `http://` or `https://` URL and the browser automation will visit it with a real browser context. In an agent setting, this broadens the tool into a general-purpose web-fetching and anti-bot browsing capability, increasing SSRF-like/internal browsing risk, access to sensitive intranet pages from the host environment, and abuse beyond the declared scope.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script includes explicit anti-detection measures such as disabling automation indicators, spoofing `navigator.webdriver`, fake plugins/languages, and adding `window.chrome`, combined with headed real-browser automation to bypass WeChat anti-bot checks. In a constrained content-fetching skill, this creates a reusable stealth browsing primitive that can be repurposed to evade bot defenses on arbitrary sites, making the capability materially more dangerous than ordinary scraping.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal