Back to skill

Security audit

Wechat Mp To Notion

Security checks across malware telemetry and agentic risk

Overview

This skill transparently fetches a user-provided WeChat article and writes it into a user-specified Notion page or database.

Install only if you want articles saved into Notion. Use a dedicated Notion integration token with access limited to the target page or database, verify the parent ID before running, and pass only article URLs you intend to archive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill description explains that it saves content to Notion, but it does not clearly warn that running the skill will create new pages or database entries in the user's workspace. This can lead to unintended side effects, especially if a user expects a read-only conversion or preview operation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script fetches content from a user-supplied WeChat article URL and then uploads the extracted article text, metadata, and source URL into Notion without any consent prompt, warning, or data minimization step. In a skill context, this silent cross-service transfer can expose sensitive or private article contents to a third-party workspace and may violate user expectations or policy requirements.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.