WeChat Mini Program CI

Security checks across malware telemetry and agentic risk

Overview

This skill documents WeChat Mini Program CI/CD workflows that use deployment credentials, and the sensitive capabilities are disclosed and aligned with that purpose.

Install only if you intend to let an agent help with WeChat Mini Program CI/CD. Treat the WeChat upload private key as a deployment credential: keep it out of repositories and chat logs, inject it through a CI secret store, restrict access and IPs where possible, rotate it if exposed, and require explicit confirmation before upload, preview, cloud function, storage, or container deployment commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs users to generate and use an upload private key for CI/CD operations but provides only minimal operational notes and no concrete handling guidance such as secure storage, access restrictions, secret injection, rotation, or prohibitions on committing the key to source control. Because this key authorizes code upload and deployment for a WeChat Mini Program, poor guidance can lead to credential leakage and unauthorized publishing or tampering in automated pipelines.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal