Back to skill

Security audit

wechat-reply-ai

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims broadly, but it gives an agent powerful control over private WeChat conversations with under-disclosed auto-reply, background, screenshot, and remote LLM behaviors.

Install only if you intentionally want an agent to operate your logged-in PC WeChat. Review exact recipients, message text, and file paths before sending; avoid sensitive chats; do not use smart-reply unless you accept chat text being sent to the configured LLM provider; and stop the daemon when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation exposes capabilities to read local content, write files, invoke shell commands, and potentially access the network, but it does not declare permissions or clearly bound those powers. In an automation skill that can read and send WeChat messages and files, undeclared capabilities reduce user visibility and make misuse or overreach easier to hide.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a meaningful description-behavior mismatch because the skill is presented as a local WeChat automation tool, while the detected behavior includes continuous monitoring, autonomous replying, and sending visible chat transcripts to an external LLM API. That combination can silently exfiltrate private conversations and automate actions on the user's behalf beyond what the description leads users to expect.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The persona explicitly instructs the agent to avoid disclosing that it is a tool, script, or AI, which promotes deceptive impersonation during message handling. In the context of an auto-reply toolkit that can read messages and send replies on a logged-in WeChat account, this increases the risk of non-consensual social engineering, misrepresentation, and trust abuse toward message recipients.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The guide explicitly tells the agent not to reveal AI, script, or automation involvement, which enables deceptive impersonation of the user during private messaging. In the context of a Windows local WeChat auto-reply tool that reads messages and sends replies on a logged-in account, this materially increases the risk of undisclosed automated communications, social engineering, and misuse of personal relationships or authority.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script invokes an external PowerShell process to capture part of the screen, which expands the skill from simple message reading into local screen exfiltration. In this skill context, that is sensitive because the screenshot may include private chat content and nearby UI elements, and the external process execution is not narrowly constrained by a consent gate.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script saves screenshots of chat content to a fixed filesystem path outside any temporary or app-scoped location. This creates unnecessary data persistence and privacy risk because sensitive message content may remain on disk, be discovered by other users or tools, or be overwritten unpredictably without the operator's awareness.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The tool is described as a local WeChat automation utility, but in smart-reply mode it transmits visible WeChat transcript content to an external LLM API. That creates a data-exfiltration/privacy risk because chat contents may include sensitive personal or business information, and users may not expect off-device transmission from a 'local' automation skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The markdown lacks a prominent warning that this skill can read WeChat conversations, send messages as the user, and transmit local files/media. In a messaging automation context, missing disclosure materially increases the chance of unintended privacy loss, impersonation, or unauthorized data handling.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill metadata advertises a broad capability to read WeChat messages, generate replies, and send content on a locally logged-in Windows client without clearly constraining permitted triggers, scope, or required user confirmation. In an agentic environment, this can cause over-invocation of a high-risk messaging skill, leading to unauthorized message access, unintended outbound communications, and privacy or impersonation harm.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow explicitly instructs the agent to read WeChat content and send outbound messages on the user's behalf, but it provides no warning about privacy exposure, message authenticity, or the risk of sending unintended communications. In an automation skill for a personal messaging platform, omission of consent and outbound-action warnings materially increases the chance of unauthorized or poorly understood message handling.

Missing User Warnings

High
Confidence
98% confidence
Finding
The daemon section describes starting a persistent background process that reads incoming messages and sends replies, yet it does not clearly warn that continuous monitoring and automated outbound actions will occur. Because this is a resident process tied to a real messaging account, lack of disclosure and control mechanisms could lead to silent surveillance, unintended auto-replies, or prolonged operation beyond the user's intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The daemon logs contact identifiers and operational metadata for message reads and sends, creating a local artifact of private communications activity without clear consent or disclosure. In the context of a WeChat automation tool that handles personal chats, even metadata logging can expose sensitive relationship and communication patterns to other local users, malware, backup systems, or forensic review.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill automates reading WeChat message contents via UI automation/OCR, which accesses highly sensitive personal data. Although this is core functionality of the tool, the absence of explicit user warning, consent flow, or data-handling notice makes it a genuine privacy/security issue because users may not appreciate that message contents are being programmatically extracted and processed.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script reads chat content via clipboard automation and optionally exports the conversation as screenshots without any consent prompt, privacy warning, or data-minimization control. In the context of a local WeChat automation tool, this directly handles private communications, so silent extraction materially increases the risk of unauthorized disclosure of sensitive personal or business information.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The screenshot routine silently launches PowerShell to perform capture and save an image, which is a privacy-sensitive action and an execution-surface increase not clearly disclosed to the operator. Even if not directly exploitable as code injection here, hidden execution of an external interpreter for data capture is risky in a tool that processes private messages.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code sends visible chat transcript data to an external LLM endpoint automatically during smart-reply without any user-facing warning or confirmation at the point of transmission. In the context of a messaging automation skill, this materially increases privacy risk because messages can contain sensitive content and the exfiltration is silent once enabled.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.