wechat-mp-draft-publisher

Security checks across malware telemetry and agentic risk

Overview

The skill appears to publish WeChat drafts as described, but it also can download and run unverified code and exposes sensitive tokens in normal output.

Review before installing. Prefer a locally audited binary supplied with --bin, avoid direct URL and latest-release auto-download modes, unset GITHUB_TOKEN before any download path, and do not share command output because it includes a WeChat access token. Static scan was clean and VirusTotal was pending, but those signals do not remove the artifact-backed risks above.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill clearly invokes shell execution via `bash scripts/publish_draft.sh` but does not declare that capability or corresponding permissions. Undeclared shell execution is risky because it expands the trust boundary, can invoke local programs and network actions indirectly, and prevents users or platforms from accurately assessing what the skill can do.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented behavior materially understates the risk: it supports downloading and executing a binary from GitHub releases or an arbitrary direct URL, yet the description focuses on WeChat draft publishing. Remote acquisition and execution of an executable is a major supply-chain risk, especially when the source may be a direct URL and no integrity verification or pinning is described.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The installer explicitly supports a user-supplied --url and then downloads, chmods, and installs whatever binary or zip is hosted there, with no origin restriction, signature verification, checksum validation, or publisher trust check. Because this skill’s purpose is narrowly WeChat draft publishing, allowing arbitrary executable installation materially expands capability into generic code delivery and creates a straightforward remote code execution/supply-chain risk if the URL is malicious or tampered with.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The script can fetch a binary from either a GitHub release or an arbitrary URL at runtime and then execute it, which expands the skill's capabilities beyond local draft publishing into remote code retrieval and execution. This creates a supply-chain and arbitrary code execution risk, especially because the downloaded artifact is not pinned by digest, signature-verified, or explicitly user-confirmed before execution.

Description-Behavior Mismatch

Medium

Confidence: 99% confidence
Finding: The final JSON output includes the WeChat access token, unnecessarily exposing a sensitive credential to callers, logs, downstream tools, or transcript storage. Anyone who can read that output may be able to reuse the token to perform API actions as the account until the token expires.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: This code path allows the skill to download and execute an external binary from a remote release source even though the stated function is only to publish drafts. In the context of an agent skill, this is especially dangerous because it gives a content-publishing workflow an unexpected code-execution primitive that could be abused through environment variables or configuration manipulation.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs use of local WeChat credentials and uploads article content and images to external APIs, but does not explicitly warn users that secrets and local content will be transmitted off-host. This can lead to accidental disclosure of sensitive credentials, unpublished content, or proprietary media when users assume the skill operates locally.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The contract documents an auto-download and install path for an executable into the skill's bin directory, but does not require explicit user consent, integrity verification, or strong provenance checks before fetching and running code. In this skill context, that is especially risky because the downloaded binary will handle WeChat credentials and publishing actions, so a compromised or attacker-controlled release asset could steal secrets or execute arbitrary code on the host.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The script exposes the access token in its final JSON response without warning, which is a direct sensitive-data disclosure. In agent environments, outputs are often logged, surfaced to users, or stored in telemetry, making token leakage more dangerous than in a purely local interactive shell context.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script can silently enter an auto-download path for its executable without clear disclosure at the time of use, which undermines user expectations about what code will run. While lack of disclosure alone is less severe than the execution path itself, here it materially increases risk because users may believe they are only invoking a local draft publisher while the script retrieves and runs remote code.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal