Back to skill

Security audit

Wechat Content Studio

Security checks across malware telemetry and agentic risk

Overview

This WeChat publishing skill mostly matches its stated purpose, but it includes broad credential tools that can reveal secrets and side-effectful publishing/install behavior users should review first.

Install only if you are comfortable with a skill that can manage WeChat credentials, run publishing commands, install a global npm package, and send article titles to Sogou for verification. Avoid storing unrelated credentials in ~/.openclaw/workspace/secrets.json, do not run get.py/add.py where terminal output is logged, and confirm every publish or install action before proceeding.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def cmd_escape(s):
            return str(s).replace("^", "^^").replace("&", "^&").replace("%", "^%").replace("<", "^<").replace(">", "^>").replace("|", "^|").replace('"', '""')
        cmd_str = " ".join(f'"{cmd_escape(p)}"' for p in cmd_parts)
        result = subprocess.run(cmd_str, check=False, env=env, shell=True)
    else:
        # Unix: use list form without shell
        result = subprocess.run(cmd_parts, check=False, env=env)
Confidence
95% confidence
Finding
result = subprocess.run(cmd_str, check=False, env=env, shell=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if shutil.which("wenyan") is None:
        print(f"{RED}wenyan-cli 未安装,正在安装...{NC}")
        try:
            subprocess.run(["npm", "install", "-g", "@wenyan-md/cli"], check=True, capture_output=False)
            print(f"{GREEN}wenyan-cli 安装成功!{NC}")
        except (subprocess.CalledProcessError, FileNotFoundError):
            print(f"{RED}安装失败!请手动运行: npm install -g @wenyan-md/cli{NC}")
Confidence
88% confidence
Finding
subprocess.run(["npm", "install", "-g", "@wenyan-md/cli"], check=True, capture_output=False)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill requests and documents capabilities equivalent to environment access, file read/write, network, and shell execution, yet does not declare permissions explicitly. That mismatch weakens user awareness and reviewability, especially because the workflow includes publishing, credential use, package installation, and external network interactions that can affect local state and remote accounts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior materially exceeds the stated user-facing purpose by including local credential management, reading secrets from TOOLS.md, exposing secret values via CLI, and installing external npm packages globally. This is dangerous because users invoking a writing/publishing assistant would not reasonably expect secret enumeration or system modification, creating a high risk of credential disclosure, unauthorized account actions, and supply-chain exposure.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This script is a standalone credential-storage utility embedded in a skill whose stated purpose is content research and WeChat publishing. Even if legitimate for API integration, bundling secret management in an unrelated-looking helper increases the chance of hidden credential collection and expands the skill's attack surface, especially because it persists arbitrary fields into a shared secrets file.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This script provides a generic capability to read and print secrets from a shared secrets store at ~/.openclaw/workspace/secrets.json. That behavior is broader than the stated微信公众号内容创作/发布 purpose, and in an agent skill context it can expose unrelated credentials to logs, tool output, or downstream prompts, enabling credential theft or misuse.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This script accesses a local secrets store and enumerates token-related entries even though the advertised skill is for WeChat content creation, research, and publishing. That scope mismatch materially increases risk because it exposes credential inventory functionality that could aid unauthorized discovery of available accounts and services, and there is no access control, confirmation, or justification tied to the skill's stated purpose.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Auto-installing a global npm dependency introduces package-management side effects and executes third-party code on the machine. In an agent skill context, this is more dangerous because the user may only expect article publishing, not persistent system changes or dependency bootstrap behavior.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script reads WeChat credentials from local secret stores unrelated to the direct CLI input, which is sensitive credential access behavior. In an agent-skill setting this broadens the trust boundary: the tool is not just publishing content, it is harvesting secrets from the local workspace and repurposing them for execution.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
This script manages deletion of entries from a secrets store located at ~/.openclaw/workspace/secrets.json, which is outside the stated WeChat content creation and publishing purpose of the skill. Even though it does not exfiltrate credentials, adding credential-management functionality to an unrelated content tool increases the attack surface and creates an opportunity for unauthorized disruption or tampering with stored tokens.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are overly broad, such as generic research or writing requests, which increases the chance the skill activates in contexts the user did not intend. In a skill that can access credentials, write files, use shell/network, and publish to external platforms, accidental invocation meaningfully raises the risk of unintended side effects.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to configure app credentials, whitelist an IP, publish to a WeChat draft box, verify indexing, and track data, but does not provide clear warnings about account impact, secret sensitivity, or external publication side effects. In this context, missing warnings are security-relevant because they reduce informed consent for actions that can alter remote account state and expose sensitive tokens.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The trigger list includes very broad, everyday phrases such as '研究一下', '帮我分析', and '调研一下', which can match many unrelated user requests and cause unintended activation of this skill. In an agent environment, overbroad activation can redirect normal conversations into long-running research workflows, potentially invoking external tools, gathering unnecessary data, or producing outputs the user did not intend.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script prints all stored fields, including secrets such as app secrets or tokens, directly to stdout after saving. This can expose credentials in terminal history, logs, CI output, screen recordings, or agent transcripts, turning a local secret-entry step into immediate credential disclosure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script writes provided credentials to a persistent file in the user's home directory without any warning, confirmation, or retention guidance. Users may believe they are supplying values for one-time use, while the script silently creates long-lived local secret storage that could later be read by other tools, backups, or compromised processes.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
When called without a field, the script prints every key/value pair for the selected secret object, and when called with a field it prints the raw secret value directly. This creates an immediate secret disclosure path with no confirmation, masking, audit control, or user warning, making accidental or intentional credential exfiltration straightforward.

Missing User Warnings

Low
Confidence
94% confidence
Finding
The script reads a sensitive secrets file from the user's home directory and prints token metadata to stdout without any warning, consent prompt, or contextual disclosure. Even though values are partially masked, metadata such as token keys, names, and field structure can still reveal what services are configured and support credential targeting, social engineering, or follow-on abuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script accesses local WeChat credentials and places them into environment variables for subprocesses without an explicit user-facing warning or consent step. This increases the chance of accidental secret exposure to child processes, logs, crash dumps, or other tooling in the execution chain.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends the article title to Sogou in an external HTTP request to verify indexing, but it does not clearly warn that content metadata will be disclosed to a third party. For unpublished or sensitive drafts, even the title may reveal confidential information or editorial plans.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.