Back to skill

Security audit

WeChat Article Creator

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed WeChat draft helper, but it asks for sensitive WeChat credentials while its CLI can misleadingly report success without actually generating or saving a draft.

Install only if you intend to connect a WeChat Official Account and are comfortable giving the skill access to those credentials. Treat the current CLI as incomplete and verify drafts manually; keep WECHAT_SECRET out of source control and logs, and prefer a preview or confirmation step before any WeChat draft is saved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill advertises that it will search, generate, format, and save a WeChat draft, but the executable path only parses arguments and prints success-style messages. This is a security-relevant integrity issue because users or agents may believe content was actually created or published when no such action occurred, leading to unsafe automation assumptions or workflow bypass.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The comments and output imply search and AI generation happen, but the code never invokes them and still reports successful completion. In agent settings, this can mislead downstream systems into treating nonexistent work as completed, which is an integrity and trust problem.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly advertises automatic saving to the WeChat draft box, which means the tool can modify data in an external account. Without a clear warning, confirmation step, or documentation of that side effect, users may run the skill without realizing it will perform write actions against their公众号, increasing the risk of unintended content publication workflows or account-side changes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to place WECHAT_APPID and WECHAT_SECRET in a .env file or environment variables but provides no guidance on protecting those credentials. This omission can lead to accidental exposure through source control, logs, shared shells, or insecure deployment practices, which could allow unauthorized access to the connected WeChat public account.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation text uses broad trigger phrases such as writing WeChat content or automatically creating articles without strong scope limits or explicit consent boundaries. In an agent ecosystem, this can cause over-triggering, leading the skill to run in situations where the user only wanted ideation or editing, and may result in unintended external actions such as content generation and draft creation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The description does not clearly warn users that generated content may be uploaded to the WeChat draft box, which is an external side effect involving account resources and potentially sensitive content. Without an upfront warning or confirmation step, a user may unknowingly authorize publication-adjacent actions, increasing the risk of accidental data disclosure or unwanted account changes.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "@onWalking",
  "license": "MIT",
  "dependencies": {
    "axios": "^1.6.0",
    "dotenv": "^16.3.0"
  }
}
Confidence
95% confidence
Finding
"axios": "^1.6.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "MIT",
  "dependencies": {
    "axios": "^1.6.0",
    "dotenv": "^16.3.0"
  }
}
Confidence
88% confidence
Finding
"dotenv": "^16.3.0"

Known Vulnerable Dependency: axios==1.6.0 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-25639 (Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
axios==1.6.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.