Holo WeChat MP

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.exposed_secret_literal, suspicious.potential_exfiltration

Findings (2)

critical

suspicious.exposed_secret_literal

Location: skills/wechat-mp-illustrate/scripts/illustrate.py:69
Finding: File appears to expose a hardcoded API secret or token.
Evidence: client = client_class(api_key=[REDACTED], model=args.model)

critical

suspicious.potential_exfiltration

Location: skills/wechat-mp-illustrate/scripts/api.py:141
Finding: Python code base64-encodes a local file and sends it over the network.
Evidence: encoded = base64.b64encode(path.read_bytes()).decode("ascii")