wechat-mp-publisher

Security checks across malware telemetry and agentic risk

Overview

This skill is meant for WeChat publishing, but it forwards account credentials and unpublished article content to a remote MCP server with incomplete and inconsistent safety disclosure.

Install only if you control or fully trust the configured wenyan-mcp server, prefer HTTPS with authentication, and are comfortable with that server receiving WeChat AppID/AppSecret and article content. Keep wechat.env out of version control with restrictive permissions, avoid the TOOLS.md credential path, and rotate credentials if they may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill advertises and documents shell-based behavior (`cp`, `nano`, `chmod`, script execution, dependency checks) but does not declare corresponding permissions/capabilities. This creates a transparency and consent problem: users or hosting platforms may not realize the skill can execute local commands and access local files such as credential material.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented purpose emphasizes remote HTTP MCP publishing with credential isolation, but the behavior reportedly also includes local publication paths, reading credentials from user-local locations, and exporting secrets into the current shell session. This mismatch is security-relevant because it defeats user expectations about isolation and can expose credentials more broadly than advertised.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The script extracts raw WeChat credentials from a general-purpose markdown file in the user's home workspace, which broadens secret exposure beyond the minimum needed for a publishing helper. Using an unrelated documentation file as a secret store increases the chance of accidental disclosure, unintended parsing of stale credentials, or reuse of secrets from a location other tools or users may read.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly promotes remote HTTP publishing through a third-party MCP service and states that sensitive credentials are transmitted at runtime, but it does not clearly warn users that article content and secrets leave the local environment. In a publishing skill that handles WeChat AppID/Secret and unpublished content, this omission can cause users to unknowingly expose sensitive data to a remote host they may not control or fully trust.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill directs users to connect to a remote MCP endpoint over plain HTTP and to send publication requests after loading local WeChat credentials, without a prominent warning about interception, server trust, or credential/data exposure. In this context, the skill handles sensitive publishing authority, so transmitting requests to an unauthenticated or unencrypted remote service materially increases the risk of credential theft, content tampering, and account abuse.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The instructions tell users to create a local `wechat.env` containing sensitive app credentials but do not clearly warn about local secret-storage risks such as accidental commits, permissive file permissions, shell history leakage, or multi-user system exposure. While local env files are common, omitting storage hygiene guidance makes credential compromise more likely.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The example promotes automatic image uploading and one-click publishing to an external platform without warning that local files and article content may be transmitted off-machine or published publicly. In a publishing skill, these side effects are expected, but failing to disclose them can mislead users into triggering network uploads or unintended publication with sensitive content or images.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The instructions tell users to configure credentials for a remote publishing workflow but do not warn that those credentials grant access to an external WeChat account or describe safe handling expectations. In this skill context, credential use is legitimate, but omission of security guidance increases the chance of account misuse, accidental exposure, or unsafe storage practices.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The script silently accesses sensitive local credentials from TOOLS.md without an explicit security warning or consent checkpoint, which can surprise users into exposing secrets from their home workspace. In the context of an agent skill, hidden local secret access is more concerning because users may invoke setup routines assuming only environment preparation, not credential harvesting from arbitrary files.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal