Back to skill

Security audit

wechat-article-getter

Security checks across malware telemetry and agentic risk

Overview

This appears to be a WeChat article-reading skill, but it can install Python packages and Chromium at runtime and may query third-party mirror sites without clear user consent.

Review before installing. Use it only if you are comfortable with the skill downloading packages and a browser binary on first run, contacting WeChat and possible mirror/aggregator sites, and sharing article-related query data externally. Prefer a version that declares permissions, pins dependencies, separates setup from runtime, and asks before using mirror fallback.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not has_chromium:
        import subprocess
        print("🌐 首次运行:安装 Chromium 浏览器(~110MB)...")
        subprocess.check_call([sys.executable, "-m", "playwright", "install", "chromium"])
        print("✅ Chromium 安装完成")
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, "-m", "playwright", "install", "chromium"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
        import subprocess
        print("📦 首次运行:安装 playwright + beautifulsoup4 ...")
        subprocess.check_call([sys.executable, "-m", "pip", "install", "playwright", "beautifulsoup4", "-q"])

    # 检查 chromium 是否已安装
    from pathlib import Path as _P
Confidence
97% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "playwright", "beautifulsoup4", "-q"])

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no permissions even though its documented behavior clearly requires network access, shell execution, and installation/setup actions that imply file writes. This is dangerous because users and policy systems cannot accurately evaluate or constrain what the skill will do, increasing the chance of unexpected outbound access or local environment modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose understates the actual behavior: the skill can install packages and Chromium at runtime, invoke setup scripts, and contact third-party sites unrelated to the primary WeChat domain. That mismatch is dangerous because reviewers and users may approve a seemingly simple reader skill without realizing it can modify the host and exfiltrate derived data to external services.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code path auto-installs packages and Chromium, giving the skill the ability to download and install software on the host system at runtime. In the context of an article-reading skill, that capability is unjustifiably broad and materially increases the blast radius of compromise through supply-chain abuse, unauthorized system changes, and execution of newly fetched code.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The mirror fallback sends article-related searches to third-party aggregators without warning the user that their requested URL, title, or derived query data may be disclosed externally. In this skill's context, that is more concerning because users may expect content retrieval only from WeChat, not redistribution of request context to unrelated sites with different privacy and trust properties.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.