Back to skill

Security audit

Anything to WeChat

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it combines broad content intake with credential use, package installation, and automatic upload to a WeChat draft box without enough user-control boundaries.

Install only if you are comfortable with a one-step workflow that can read provided files or URLs, use your WeChat Official Account credentials, install Python packages at runtime, and upload content and images to WeChat. Review the generated HTML and cover image before running the publishing step, and prefer using a constrained environment with credentials supplied only for the session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
    print("[INFO] Installing beautifulsoup4...")
    import subprocess
    subprocess.check_call([sys.executable, "-m", "pip", "install", "beautifulsoup4", "-q"])
    from bs4 import BeautifulSoup, Tag

try:
Confidence
96% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "beautifulsoup4", "-q"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
    print("[INFO] Installing cssutils...")
    import subprocess
    subprocess.check_call([sys.executable, "-m", "pip", "install", "cssutils", "-q"])
    import cssutils
    cssutils.log.setLevel(50)
Confidence
96% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "cssutils", "-q"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
    print("[INFO] Installing requests...")
    import subprocess
    subprocess.check_call([sys.executable, "-m", "pip", "install", "requests", "-q"])
    import requests
Confidence
96% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "requests", "-q"])

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to read environment variables, read and write files, invoke shell commands, and access the network, yet it declares no permissions or trust boundaries. This creates a transparency and governance gap: users and platforms may not realize the skill can access credentials and publish external content, increasing the chance of unintended credential exposure or unauthorized actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill markets itself as a simple content-conversion workflow but also collects WeChat credentials and performs direct API publication, which is a materially more sensitive action than content formatting alone. This mismatch can mislead users into authorizing execution without understanding that secrets will be requested and external publication will occur.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
A document-to-WeChat converter should not need to broaden its capabilities by installing software during execution. This increases attack surface and can lead to arbitrary third-party code being fetched and run, which is especially risky in automated agent environments where operators may not expect outbound installs.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Installing a package at runtime is broader than the stated publishing purpose and introduces supply-chain risk. A compromised package, malicious mirror, or dependency confusion event could lead to arbitrary code execution in the environment running the skill.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README presents very broad activation examples and trigger phrases for publishing to WeChat, including common natural-language requests such as 'publish to wechat' and '发到我的微信'. In an agent environment, overly broad invocation guidance can cause the skill to activate in response to ambiguous user requests, increasing the chance of unintended content publication, credential use, or execution of downstream publishing actions without sufficient user confirmation.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough to match ordinary conversation about WeChat, increasing the risk of accidental activation of a skill that can read inputs, fetch URLs, generate content, and publish drafts. Because the downstream action includes external publishing and credential handling, over-broad invocation is more dangerous than for a read-only skill.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The description encourages broad invocation boundaries with phrases like 'accept any file' and 'use when the user wants to publish content to WeChat,' which can cause the orchestrator or user to treat the skill as generally applicable. In a skill that can access files, credentials, URLs, and external publication, ambiguous activation scope increases the chance of unintended or over-privileged use.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest description says the skill can accept 'any file, folder, URL, or idea' and auto-publish to a WeChat draft box, which creates an overly broad activation and execution scope. In an agent setting, this can cause the skill to be invoked for loosely related requests and process sensitive local content or remote URLs without sufficiently explicit user intent, increasing the chance of unintended publication or data exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script uploads article HTML, cover images, and embedded images to external WeChat endpoints, but it does not present an explicit consent or warning at the moment of transmission. In a skill that accepts arbitrary files, folders, URLs, or ideas, this increases the risk of users unintentionally sending sensitive local content off-system.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The script retrieves AppID/AppSecret from environment variables and interactive input without clearly warning the user that the AppSecret is sensitive and should not be logged, shared, or stored insecurely. While common, this is still a credential-handling weakness, especially in agent or shared-terminal contexts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.