Back to skill

Security audit

Web to WeChat

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its stated purpose, but it needs review because it uses WeChat publishing credentials and its scripts can automatically install Python packages at runtime.

Install only if you are comfortable granting the agent access to a WeChat Official Account workflow. Preinstall dependencies in a controlled environment, avoid letting the scripts auto-install packages, store WeChat secrets carefully, and review the generated article before allowing it to create a WeChat draft.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
    print("[INFO] Installing Pillow...")
    import subprocess
    subprocess.check_call([sys.executable, "-m", "pip", "install", "Pillow", "-q"])
    from PIL import Image
Confidence
91% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "Pillow", "-q"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
    print("[INFO] Installing requests...")
    import subprocess
    subprocess.check_call([sys.executable, "-m", "pip", "install", "requests", "-q"])
    import requests

try:
Confidence
92% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "requests", "-q"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
    print("[INFO] Installing beautifulsoup4...")
    import subprocess
    subprocess.check_call([sys.executable, "-m", "pip", "install", "beautifulsoup4", "-q"])
    from bs4 import BeautifulSoup

try:
Confidence
92% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "beautifulsoup4", "-q"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
    print("[INFO] Installing html2text...")
    import subprocess
    subprocess.check_call([sys.executable, "-m", "pip", "install", "html2text", "-q"])
    import html2text
Confidence
92% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "html2text", "-q"])

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to perform file writes, network access, and shell execution, but declares no permissions or equivalent safety boundaries. This creates hidden capability expansion: a user invoking a seemingly simple content workflow may unknowingly trigger external fetches, local file creation, and subprocess execution, increasing the risk of abuse and reducing auditability.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
A utility whose stated purpose is local image compression should not silently install software at runtime. In the context of a web-scraping-to-WeChat publishing skill, this is more concerning because the automation may run unattended in production environments, turning a missing dependency into an unexpected package installation path with supply-chain and environment-integrity consequences.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill's stated purpose does not require self-modifying behavior, yet it installs packages dynamically at runtime. That makes the skill materially more dangerous because execution now depends on network-fetched code and alters the local environment, increasing supply-chain, persistence, and compliance risk.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README presents very broad natural-language trigger examples that can activate a workflow which scrapes arbitrary URLs and publishes content into a WeChat account draft box. Because the action chain involves external content retrieval plus authenticated publication, vague activation phrases increase the chance of unintended or under-specified execution, especially if a user mentions a link casually or without understanding that publishing will occur.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README describes a pipeline that uses WeChat AppID/AppSecret, fetches third-party web content, reformats it with AI, generates media, and uploads the result to the user's WeChat draft box, but it does not clearly warn about credential sensitivity, outbound data flow, or the publication effects of the workflow. In this skill context, that omission is security-relevant because users may not realize that secrets are being used for authenticated actions and that scraped or transformed content may be transmitted to additional tools or services.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger regexes are broad enough to match common article-sharing requests, which can cause the skill to activate in contexts where the user did not intend web scraping and WeChat publication. Because the workflow includes external fetching, rewriting, image generation, and publishing actions, over-triggering increases the chance of accidental data transmission or unauthorized reposting.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill promises automatic publication to a WeChat draft box without prominently warning that article content, metadata, generated assets, and possibly credentials will be transmitted to external services. This undermines informed consent and can expose sensitive or copyrighted material to third parties without adequate notice.

Unvalidated Output Injection

High
Category
Output Handling
Content
import os, subprocess, sys
os.environ['WECHAT_APP_ID'] = '<app_id>'
os.environ['WECHAT_APP_SECRET'] = '<app_secret>'
result = subprocess.run([
    sys.executable,
    r'<anything-to-wechat_skill_dir>/scripts/publish_to_wechat.py',
    '--file', r'<workspace>/wechat_article.html',
Confidence
88% confidence
Finding
subprocess.run([ sys.executable, r'<anything-to-wechat_skill_dir>/scripts/publish_to_wechat.py', '--file', r'<workspace>/wechat_article.html', '--title', '<article_title>', '--cove

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.