Back to skill

Security audit

File to WeChat

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it can read broad user files and upload generated content to WeChat drafts without a clear review or consent checkpoint.

Install only if you are comfortable letting the agent read the selected files, generate derivative content, and upload it to a WeChat Official Account draft using your credentials. Review generated Markdown/HTML and cover images before publishing, avoid sensitive files unless intended, prefer local conversion over cloud fallback for private documents, and preinstall dependencies instead of relying on runtime package installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
    print("[INFO] Installing markdown...")
    import subprocess
    subprocess.check_call([sys.executable, "-m", "pip", "install", "markdown", "-q"])
    import markdown
    from markdown.extensions.tables import TableExtension
    from markdown.extensions.fenced_code import FencedCodeExtension
Confidence
91% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "markdown", "-q"])

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs file reads, file writes, and shell execution but does not declare permissions or present clear guardrails. This increases the chance that an agent invokes powerful operations without explicit review, especially given that it processes arbitrary user-supplied files and paths.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Automatically installing a Python package at runtime introduces package-management and subprocess execution behavior that is not necessary for a simple Markdown-to-HTML converter. In an agent skill context, this is more dangerous because the skill may run in automated environments with network access and elevated trust, turning a formatting task into one that can modify the host environment and pull remote code.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The README suggests that supplying only a bare file path is enough to invoke the skill, which can cause overly broad or accidental activation on arbitrary local files. In an agent setting, this weakens user-intent verification and increases the chance of processing or publishing sensitive local content without an explicit confirmation step.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README highlights one-click upload to the WeChat draft box but does not clearly warn that document contents and associated media will be transmitted to an external third-party service using stored credentials. In this skill’s context, that omission is more dangerous because the workflow is specifically designed to transform arbitrary files and publish them, so users may unintentionally send confidential data off-host.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The regex-style triggers are broad enough to activate on generic requests about sending or converting content for WeChat. In context, accidental invocation is risky because this skill performs file conversion and external publication, which can cause unintentional data disclosure or unwanted drafting of content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill promises to publish to the WeChat draft box automatically and explicitly says to return a published draft rather than a proposal, but it does not require a clear warning or consent before transmitting content to an external service. Because the input may be arbitrary files, this creates a real risk of exfiltrating private documents, embedded metadata, OCR'd images, or transcripts outside the local environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script installs markdown via pip without prior approval, visibility, or policy enforcement. This can surprise operators, violate least privilege expectations, and expose the runtime to dependency-confusion, malicious package publication, or install-time code execution if package resolution is compromised.

Unvalidated Output Injection

High
Category
Output Handling
Content
import os, subprocess, sys
os.environ['WECHAT_APP_ID'] = '<app_id>'
os.environ['WECHAT_APP_SECRET'] = '<app_secret>'
result = subprocess.run([
    sys.executable,
    r'<anything-to-wechat_skill_dir>/scripts/publish_to_wechat.py',
    '--file', r'<workspace>/wechat_article.html',
Confidence
91% confidence
Finding
subprocess.run([ sys.executable, r'<anything-to-wechat_skill_dir>/scripts/publish_to_wechat.py', '--file', r'<workspace>/wechat_article.html', '--title', '<article_title>', '--cove

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.