Back to skill

Security audit

Wechat Mp Publish

Security checks across malware telemetry and agentic risk

Overview

The skill is mainly a WeChat draft publishing tool, but it handles credentials, local files, uploads, draft deletion, and unvalidated remote image fetching with incomplete disclosure and guardrails.

Review before installing. Use a dedicated WeChat account or limited credentials, avoid the plaintext config command unless file permissions are locked down, supply explicit local cover images instead of letting it fetch a default remote image, and do not pass internal/private URLs as image or cover inputs. Install in a virtual environment and treat any saved draft, uploaded image, and article content as data sent to WeChat.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (27)

Tainted flow: 'files' from requests.get (line 131, network input) → requests.post (network output)

Medium
Category
Data Flow
Content
params = {"access_token": access_token, "type": "image"}
            
            files = {"media": ("cover.jpg", io.BytesIO(response.content), "image/jpeg")}
            upload_resp = requests.post(url, params=params, files=files, timeout=30)
            result = upload_resp.json()
            print(f"upload_permanent_image_from_url: result = {result}")
            return result
Confidence
91% confidence
Finding
upload_resp = requests.post(url, params=params, files=files, timeout=30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions, yet its documented behavior clearly requires filesystem access, network access, environment/config access, and likely shell/package installation. This creates a transparency and consent problem: users and the hosting platform cannot accurately evaluate what resources the skill will touch before execution, increasing the risk of unintended file access, credential exposure, or outbound data transfer.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is limited to publishing WeChat articles, but the detected behaviors include broader and more sensitive capabilities such as token management, draft listing/deletion, remote content fetching, AI rewriting, credential encryption/decryption, and security-state inspection. This mismatch is dangerous because it undermines informed consent and expands the attack surface into credential handling, destructive actions, and exfiltration of local or remote content beyond what the user would reasonably expect.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The README states the tool supports 'AI写作、本地文件、爬虫伪原创', which expands the effective capability beyond the skill's declared purpose of publishing articles. This matters because users and orchestration systems may trust the manifest scope, while the documentation encourages scraping and content generation workflows that can introduce legal, policy, and security risk not reflected in the skill metadata.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The README claims concrete protections such as path validation, SSRF prevention, input sanitization, file type validation, and size limits, but those controls are not evidenced by the documented structure or usage in this file. Unsubstantiated security claims can cause operators to overtrust the skill and enable risky inputs or deployments under false assumptions about built-in protections.

Description-Behavior Mismatch

High
Confidence
90% confidence
Finding
The docstring advertises crawling and '伪原创' rewriting capabilities that are not disclosed in the skill metadata, materially expanding the tool from publishing into third-party content acquisition and transformation. Hidden or under-disclosed network/content-reuse functionality is dangerous because it can exfiltrate URLs/content, violate user expectations, and enable misuse outside the declared purpose.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
Accepting an arbitrary user-supplied crawl URL for fetching and rewriting content introduces unjustified remote access behavior for a publishing skill. In an agent context this can be abused to access unexpected external resources, relay sensitive URLs/content to downstream components, or facilitate plagiarism/content laundering workflows.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This file implements a project security-auditing capability that is unrelated to the stated skill purpose of publishing WeChat public account articles. In an agent skill, extra filesystem-inspection capabilities increase the attack surface and can enumerate sensitive files, configuration, and dependency metadata from the host project without being necessary for article publishing.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill description suggests local image upload and draft saving, but the implementation additionally fetches arbitrary remote images and silently falls back to a public default cover. This mismatch is dangerous because users may not realize the tool can contact external hosts and transmit fetched content onward.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Fetching arbitrary external URLs is broader than needed for publishing WeChat articles and creates an SSRF-like primitive. In an agent/tooling context, this can be abused to make network requests to unintended hosts or to proxy content from untrusted sources into the publishing pipeline.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The documentation understates the tool's capabilities by omitting its remote-download behavior and automatic external cover retrieval. This is a real security transparency issue because users and orchestrators may grant broader network access than they intended.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The module advertises support for "web crawling + pseudo-original rewriting," which is outside the stated scope of a WeChat article publishing tool. This scope expansion creates misuse risk by enabling acquisition and transformation of third-party content without provenance checks, permissions validation, or policy guardrails, making the skill materially more dangerous in context.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The function implements URL-based content intake and AI rewriting despite the skill being described as a公众号 publishing/save tool. In this context, that behavior can facilitate plagiarism laundering, policy evasion, and unauthorized reuse of external material, especially because there are no controls for ownership, attribution, or allowed domains.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The invocation phrase '发布文章到公众号' is broad and does not constrain account selection, content source, publication target, or whether the action is publish versus save-draft. In an agent setting, ambiguous triggers can cause the skill to activate in unintended contexts and process sensitive credentials or publish content without sufficiently explicit user confirmation.

Vague Triggers

Medium
Confidence
78% confidence
Finding
Broad trigger phrases such as generic requests to publish or create a public-account article can overlap with ordinary conversation and cause the skill to activate unexpectedly. In this skill's context, accidental activation is more dangerous because activation may lead to local file access, automatic image upload, and transmission of article content or credentials to external WeChat services.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill description mentions automatic local image upload and article publishing, but does not sufficiently warn that local files, article contents, and potentially associated credentials/configured account data will be transmitted to a third-party service. This is a meaningful disclosure failure: users may provide local Markdown paths or content without realizing the skill will automatically upload embedded images and interact with WeChat APIs using sensitive credentials.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The config command writes AppID and AppSecret in plaintext JSON to a local file without warning, permission hardening, or secure storage. This creates a realistic credential exposure risk through accidental commits, weak filesystem permissions, backup leakage, or multi-user host access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Remote image download and re-upload happens without clear disclosure that the provided URL will be fetched and its contents sent to external parties. In a tool/agent setting, that hidden data movement can expose internal resources or sensitive URLs and surprises users about where their data goes.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
When no cover is provided, the tool silently fetches a random image from an external service. That creates undisclosed third-party network traffic and unpredictable content ingestion, which is especially risky in automation environments with restricted egress or compliance requirements.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The crawling and rewriting flow provides no user-facing warning or enforcement around sourcing external content and transforming it for publication. That omission increases the chance of accidental or deliberate misuse for copyright infringement, deceptive republishing, or publication of unverified scraped material.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
Promoting "pseudo-original" content generation is a strong policy red flag because it frames the tool as helping users disguise reused content as new work. In the context of a publishing assistant, this makes the skill more dangerous by aligning it with deceptive content transformation rather than legitimate editorial assistance.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
python-dotenv>=1.0.0
cryptography>=41.0.0
Confidence
95% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
python-dotenv>=1.0.0
cryptography>=41.0.0
Confidence
92% confidence
Finding
python-dotenv>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
python-dotenv>=1.0.0
cryptography>=41.0.0
Confidence
95% confidence
Finding
cryptography>=41.0.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
89% confidence
Finding
requests

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.secret_argv_exposure

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
ENCRYPTION.md:127

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/wechat/api_client.py:292

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
ENCRYPTION.md:53