Wechat Automation Api

Security checks across malware telemetry and agentic risk

Overview

This skill can send real WeChat messages and includes review-worthy bulk sending, local HTTP service, background monitoring, and third-party alert behavior beyond the narrow skill description.

Install only if you intentionally want an agent to operate a logged-in Windows WeChat client. Require your own preview/confirmation before each send, avoid bulk or unsolicited outreach, keep any HTTP service bound to localhost with a strong private token, disable WPush monitoring unless explicitly needed, and treat logs, clipboard contents, image URLs, recipients, and message text as sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (32)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The README describes substantially broader capabilities than the declared skill purpose, including an HTTP API, asynchronous queue management, batch messaging, and service operation. Scope expansion is dangerous for agent-integrated skills because operators may grant a narrowly scoped messaging skill access to a more general local service that can be driven programmatically and at scale.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The README adds a monitoring daemon and WPush-based phone alerting feature that is outside the stated WeChat sending scope. This introduces a second outbound notification channel, increasing the risk of unexpected data egress and making the skill capable of transmitting operational state to an external service unrelated to the user’s requested WeChat action.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: External WPush phone notifications are context-inappropriate for a skill whose stated function is local WeChat message automation. Even if intended for reliability monitoring, it creates an unexpected external transmission path that could leak host status, message failures, or other operational metadata to a third-party push service.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Downloading images from arbitrary URLs gives the skill a network retrieval capability beyond simple local UI control of WeChat. That expands the attack surface to include server-side request abuse, retrieval of malicious or oversized content, and unintended contact with external hosts when an agent is only expected to send a local image or message.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The documentation materially expands a simple local WeChat send capability into a bulk-messaging workflow by providing a batch_send.py script, contact list handling, and repeated send instructions. In the context of a messaging automation skill, this enables scalable unsolicited outreach and spam campaigns, increasing abuse potential beyond the stated single-message/text-image use case.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The README includes recruitment-oriented mass outreach guidance and ready-made solicitation copy, which operationalizes the skill for cold-contact campaigns rather than personal message sending. That context makes the automation more dangerous because it directly supports spam, harassment, and potentially deceptive recruiting at scale.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The security section claims the automation is undetectable and has no account-ban risk even though the documented behavior is automated GUI-driven message sending. These assurances can mislead users into unsafe deployment, lower caution around platform policy violations, and encourage abusive use by falsely minimizing operational and compliance risk.

Description-Behavior Mismatch

Low

Confidence: 87% confidence
Finding: The README explicitly documents bulk messaging to multiple contacts, which expands the effective capability of the skill from one-to-one messaging into broadcast-style outreach. In the context of a WeChat automation tool, this increases the risk of spam, policy violations, unwanted mass contact, and abuse of the local authenticated client for unsolicited recruitment or social-engineering campaigns.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The code enables bulk messaging to an arbitrary list of contacts, which exceeds the stated skill behavior of sending a message or image to a single person. This creates a spam and misuse vector: a caller can automate repeated outreach at scale through the local WeChat client, increasing the risk of harassment, social engineering, or unauthorized mass notification from the user's account.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The changelog documents a Wpush alerting feature that extends the skill beyond its declared purpose of local WeChat text/image sending. Even though this file is documentation, it describes code/config changes that add outbound notification behavior to an external service, creating undeclared data egress and scope expansion that could expose status or message-related metadata.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Launching a separate watchdog process via subprocess adds persistence-like behavior and increases the operational scope of a simple message-sending skill. In an agent environment, an extra background monitor can evade expected lifecycle boundaries, complicate oversight, and create opportunities for unintended continuous monitoring or misuse.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The documented Wpush API notifications introduce external network communication that is not justified by a local WeChat automation skill's stated scope. This is especially risky because monitoring events and failure states can leak operational metadata to third parties, and the hidden addition of an outbound channel materially changes the trust model of the skill.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The code ignores any user-specified recipient or message and instead always searches for a fixed contact and sends a hard-coded message. In an automation skill that claims to send WeChat messages on behalf of a user, this creates an integrity risk: the skill can message unintended recipients with unintended content, causing misdelivery, privacy issues, or spam-like behavior.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The skill advertises WeChat text/image sending, but it also starts an additional background monitoring process, expanding functionality beyond the declared scope. Even if the monitor is local and intended for reliability, hidden or undeclared process spawning increases attack surface, persistence, and the chance of unauthorized observation or automation on the host.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill metadata describes local WeChat automation, but this code adds an independent monitoring channel that sends alerts to an external third-party service (WPush). That creates undeclared outbound data flow and expands the skill's behavior beyond user expectations, which is dangerous because it introduces external communication and possible leakage of operational status or message content configured in notifications.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code performs outbound HTTP requests to api.wpush.cn, a third-party service unrelated to the stated purpose of locally controlling WeChat text/image sending. In a desktop automation skill, undisclosed network egress is especially sensitive because it can exfiltrate status, identifiers, or future user-provided notification content outside the local machine.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill description says it controls local WeChat text/image sending, but the implementation also fetches attacker-controlled remote content and stores it on disk. That expands the trust boundary from local UI automation to arbitrary network retrieval, which can leak network metadata, enable unexpected external communication, and expose the host to malformed image content or resource abuse.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The code issues arbitrary outbound HTTP requests via requests.get(url, ...) using untrusted input, which gives the skill undeclared network reachability beyond simple WeChat automation. In an agent setting, this can be abused for SSRF-like access to internal services, unexpected beaconing to attacker infrastructure, or downloading oversized/malicious payloads under the guise of sending an image.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The script embeds a live-looking authentication token directly in source code, which makes credential leakage likely through source control, logs, screenshots, or reuse across environments. In the context of a WeChat automation skill that can send messages on the local machine, possession of the token could allow unauthorized use of the local messaging service and abuse of the automation capability.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The documentation describes a Flask HTTP API that remotely triggers local WeChat UI automation. That expands the skill from a user-invoked local action into a network-reachable message-sending service, which can be abused by any local process or, if bound beyond localhost or exposed via port forwarding, remote actors to send unauthorized messages through the logged-in WeChat account.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill accepts arbitrary image URLs and downloads them before sending, introducing outbound network access and untrusted content ingestion beyond simple local messaging. This can enable SSRF-like access to internal resources, leakage of network metadata, or retrieval of maliciously large or malformed files that may destabilize the host or downstream image-processing components.

Unpinned Dependencies

Low

Category: Supply Chain
Content: pyautogui==0.9.54 pyperclip==1.8.2 Flask==3.0.0 uiautomation requests>=2.31.0 Pillow>=10.4.0 pywin32>=306
Confidence: 93% confidence
Finding: uiautomation

Unpinned Dependencies

Low

Category: Supply Chain
Content: pyperclip==1.8.2 Flask==3.0.0 uiautomation requests>=2.31.0 Pillow>=10.4.0 pywin32>=306
Confidence: 96% confidence
Finding: requests>=2.31.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: Flask==3.0.0 uiautomation requests>=2.31.0 Pillow>=10.4.0 pywin32>=306
Confidence: 95% confidence
Finding: Pillow>=10.4.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: uiautomation requests>=2.31.0 Pillow>=10.4.0 pywin32>=306
Confidence: 95% confidence
Finding: pywin32>=306

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal