WeCom post in group

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it handles a webhook posting credential in a way users should review carefully before installation.

Install only if you are comfortable giving the skill a WeChat Work group robot webhook and storing it in a recurring automation. Treat the webhook URL like a password, rotate it if it appears in logs or transcripts, confirm the target group and schedule before activation, and avoid using production groups for validation unless a test message is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill clearly instructs reading webhook data from files and making outbound network requests, but it declares no permissions. That mismatch undermines least-privilege controls and can cause operators or policy engines to authorize behavior they did not expect, especially when handling secrets like webhook URLs.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The skill advertises scheduled webhook setup, but its instructions also include immediate webhook validation/test sends and local file/stdin content handling that materially expand its behavior. This can surprise users into transmitting data externally during setup, increasing the risk of unintended exfiltration or misuse of sensitive local content and webhook credentials.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script's 'validation' routine performs a real POST to the supplied WeChat Work webhook, causing an actual message to be delivered. This creates an unintended side effect, can spam target groups, and can be abused to verify and exercise sensitive webhook credentials rather than merely checking syntax or configuration.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The docstring and exit-code text describe the script as validating a webhook, but the implementation both sends a real test message and prints the full webhook URL on success. This mismatch can mislead operators into disclosing or exercising a secret webhook unintentionally, increasing the chance of credential leakage and unauthorized downstream reuse.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script sends a live message to the provided webhook without explicit confirmation or strong disclosure of that side effect at the point of execution. In the context of a scheduling/webhook skill, this is more dangerous because users are likely to paste production group webhook secrets, so a 'check' action can trigger unexpected messages in real organizational channels.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal