Wechat Article Fetch

Security checks across malware telemetry and agentic risk

Overview

This skill fetches and parses user-provided WeChat article pages, with disclosed network use and no evidence of hidden data access, persistence, or destructive behavior.

Install this only if you are comfortable with the skill making HTTP requests to article URLs you provide. Prefer public WeChat article links, and consider asking the publisher to add mp.weixin.qq.com host validation and clearer raw HTML safety notes.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill clearly performs outbound network access to fetch article content, but the manifest does not declare that capability or warn users about it. Undeclared network behavior reduces transparency and consent, making it easier for a skill to access remote resources unexpectedly and complicating policy enforcement or sandboxing.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The documented return format includes raw_html, but the skill description does not warn that raw HTML may contain embedded links, tracking parameters, metadata, or other content not visible in extracted article text. Exposing or storing this data can create privacy, tracking, and downstream rendering risks if consumers treat it as harmless text.

VirusTotal

No VirusTotal findings

View on VirusTotal