Back to skill

Security audit

HTML to WeChat

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent HTML-to-WeChat draft publishing helper, but it uses WeChat credentials, uploads content externally, and auto-installs an image dependency.

Install only if you intend to upload HTML and cover images to a real WeChat Official Account draft box. Use a least-privilege or dedicated WeChat account where possible, keep AppSecret out of saved command history and source files, review the generated draft in WeChat before publishing, and prefer manually installing/pinning Python dependencies instead of relying on runtime auto-installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
    print("[INFO] Installing Pillow...")
    import subprocess
    subprocess.check_call([sys.executable, "-m", "pip", "install", "Pillow", "-q"])
    from PIL import Image
Confidence
94% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "Pillow", "-q"])

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to execute multiple shell/Python commands, install packages, fetch remote content, and invoke external scripts, yet it declares no permissions. This creates a transparency and policy-enforcement gap: users and the platform may not realize the skill can execute code and access local/remote resources.

Tp4

High
Category
MCP Tool Poisoning
Confidence
80% confidence
Finding
The skill claims a simple HTML-to-WeChat publishing flow, but also performs auxiliary behaviors including cover-image generation/compression, local file writes, and auto-installation of dependencies. While some of this is operationally related, the mismatch reduces informed consent and can hide execution of unexpected code paths such as package installation and image processing.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Auto-installing Pillow via pip introduces network dependency retrieval and package-management side effects that are not necessary for safe execution of a simple utility at runtime. This behavior can unexpectedly alter the environment, fail unpredictably in restricted systems, and expose users to supply-chain risk if package sources or dependency resolution are compromised.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The quick-start examples are broad enough that an agent could invoke this skill whenever a user mentions HTML and publishing to WeChat, without confirming that the content is safe to transmit or that the user intended credentialed publication. In an automated agent setting, overly permissive activation increases the chance of accidental data exfiltration or unintended posting to a real WeChat account.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to configure AppID/AppSecret and upload article content to the WeChat draft box, but it does not clearly disclose that article bodies, cover images, and credentials are used in an external API workflow. In agent-driven environments, missing disclosure can cause users to unknowingly transmit sensitive or proprietary content and mishandle secrets.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill promises direct publication to a third-party WeChat account but does not prominently warn that article content, cover media, and account credentials/tokens will be transmitted to external services. This can lead users to disclose sensitive content or perform account-linked actions without clear consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script modifies the runtime environment by automatically installing a dependency via subprocess without an upfront warning or explicit opt-in. In agent or automation contexts, this can violate least surprise, bypass change-control expectations, and trigger execution of package installer logic in environments that should remain immutable or offline.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
python -c "
import os, subprocess, sys
os.environ['WECHAT_APP_ID'] = '<app_id>'
os.environ['WECHAT_APP_SECRET'] = '<app_secret>'
result = subprocess.run([
    sys.executable,
    r'<anything-to-wechat_skill_dir>\scripts\publish_to_wechat.py',
Confidence
72% confidence
Finding
os.environ['WECHAT_APP_SECRET']

Unvalidated Output Injection

High
Category
Output Handling
Content
import os, subprocess, sys
os.environ['WECHAT_APP_ID'] = '<app_id>'
os.environ['WECHAT_APP_SECRET'] = '<app_secret>'
result = subprocess.run([
    sys.executable,
    r'<anything-to-wechat_skill_dir>\scripts\publish_to_wechat.py',
    '--file', r'<workspace>\wechat_article.html',
Confidence
88% confidence
Finding
subprocess.run([ sys.executable, r'<anything-to-wechat_skill_dir>\scripts\publish_to_wechat.py', '--file', r'<workspace>\wechat_article.html', '--title', '<article_title>', '--cove

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.