Back to skill

Security audit

Wecom

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it sends user-provided messages to a configured WeCom webhook, with some privacy and dependency-hygiene cautions.

Install only if you intend your agent to post selected content into WeCom. Do not send secrets, credentials, regulated data, or private prompts through it unless that is approved, and keep WECOM_WEBHOOK_URL out of logs, screenshots, and source control. Prefer a version with updated dependencies and a lockfile.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (11)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly promotes sending arbitrary message content to an external WeCom webhook, but it does not warn users that any supplied content leaves the local trust boundary and is transmitted to a third-party service. In an agent/tooling context, this creates a real risk of unintended disclosure of prompts, secrets, customer data, or internal results if the tool is invoked on untrusted or overly broad input.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly sends user-provided content to an external WeCom webhook, but the documentation does not clearly warn that any message content entered into the tool will leave the local environment and be transmitted to a third-party service. In an agent/tooling context, this can lead to unintentional disclosure of sensitive prompts, code, secrets, or internal data if users assume the tool is local-only.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup instructions show the full webhook URL format, which functions as a bearer-style secret for posting into the target WeCom channel, but they do not emphasize that this URL must be kept confidential. If exposed in shell history, config files, screenshots, or repositories, an attacker could abuse the webhook to send unauthorized messages into the organization’s chat.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The tool sends caller-supplied content directly to an external WeCom webhook, but its tool descriptions do not clearly disclose that data leaves the local MCP environment and is transmitted to a third-party messaging service. In an agent setting, this can enable unintended disclosure of sensitive prompts, secrets, or user data if the model invokes the tool without the user understanding the external side effect.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The tool takes arbitrary user-provided text and sends it to an external WeCom webhook, which is a real data egress path. Although the behavior is the advertised purpose of the skill, there is no explicit user-facing disclosure, consent gate, or content restriction at the point of use, so sensitive data could be unintentionally exfiltrated.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This markdown-sending tool forwards user-supplied content directly to an external webhook, creating the same external disclosure risk as the text message path. Because markdown often contains richer copied content such as reports, logs, or credentials, lack of an explicit egress warning increases the chance of accidental sensitive-data transmission.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The markdown_v2 handler also sends caller-controlled content to an external WeCom endpoint without a clear warning at execution time that the data is leaving the local/system boundary. The richer formatting support may encourage sending structured internal content, which heightens accidental exfiltration risk if users are not explicitly informed.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "",
  "license": "MIT",
  "dependencies": {
    "@modelcontextprotocol/sdk": "^1.0.0",
    "axios": "^1.6.0"
  },
  "devDependencies": {
Confidence
96% confidence
Finding
"@modelcontextprotocol/sdk": "^1.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "MIT",
  "dependencies": {
    "@modelcontextprotocol/sdk": "^1.0.0",
    "axios": "^1.6.0"
  },
  "devDependencies": {
    "@types/node": "^20.10.0",
Confidence
96% confidence
Finding
"axios": "^1.6.0"

Known Vulnerable Dependency: @modelcontextprotocol/sdk==1.0.0 — 2 advisory(ies): CVE-2026-0621 (Anthropic's MCP TypeScript SDK has a ReDoS vulnerability); CVE-2025-66414 (Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protec)

High
Category
Supply Chain
Confidence
98% confidence
Finding
@modelcontextprotocol/sdk==1.0.0

Known Vulnerable Dependency: axios==1.6.0 — 10 advisory(ies): CVE-2026-44494 (axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `co); CVE-2026-44495 (axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollut); CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF) +7 more

High
Category
Supply Chain
Confidence
99% confidence
Finding
axios==1.6.0

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/index.js:16

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/index.ts:18