Back to skill

Security audit

Wechat Md Publisher Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed WeChat publishing skill, but conflicting examples could cause an agent to publish public posts without the intended draft-and-confirm step.

Install only if you are comfortable giving the tool delegated access to a WeChat public account. Use a test or least-privileged account first, keep AppSecret out of chat logs and shell history, prefer environment variables, audit the pinned npm package before adding real credentials, avoid remote themes unless trusted, and require draft creation plus an explicit final confirmation before any public publish or delete action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill explicitly defines a safer 'draft first + human confirmation' policy for AI automation, but this later example instructs the AI to publish immediately after receiving content. That contradiction can cause an agent to skip the intended approval gate and expose incorrect, noncompliant, or sensitive content directly to a public WeChat account.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
This workflow describes AI automation as extracting content and then publishing it directly, which bypasses the documented requirement for draft creation and human review. In a publishing skill, this increases the chance of accidental public release of scraped, malformed, infringing, or policy-violating content.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The example dialogue again demonstrates end-to-end direct publication of scraped news content without an approval checkpoint. Because the skill operates on a real public distribution channel, inconsistent examples materially raise the likelihood that downstream agents or operators follow the unsafe path instead of the safer documented process.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The example trigger phrase "帮我把这篇文章发布到微信公众号" is broad and maps directly to a real-world side effect: publishing content to an external platform. In an agent setting, this can cause the skill to activate on ordinary user requests without enforcing a safer draft-first or explicit-confirmation flow, increasing the risk of unintended publication.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The combination-workflow example uses a natural-language request like "帮我把这篇头条文章转载到我的微信公众号" that could be interpreted broadly by an orchestrating agent. Because the workflow chains content extraction and downstream publication actions, ambiguous triggering increases the chance of acting on the wrong URL, wrong article, or initiating external publication steps without sufficiently bounded user intent.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The example instructs immediate publication even though the document elsewhere requires confirmation-gated publishing. Security-relevant examples in skill docs often shape agent behavior, so this contradiction can lead to unauthorized or premature publication to a live audience.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The AI automation workflow bypasses the stated draft-first safety policy and portrays direct publication as normal behavior. Since this skill publishes externally and can process scraped third-party content, omission of confirmation materially increases operational and compliance risk.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
This later dialogue repeats the same unsafe pattern of direct publication without user confirmation, reinforcing the contradictory behavior. Repeated unsafe examples make mis-execution more likely, especially for agents using examples as behavioral templates.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The quick-start instructs users to paste an AppSecret directly into a shell command without any warning that this is a sensitive credential or guidance on safer handling. In practice, secrets placed on command lines may be exposed through shell history, process listings, terminal logs, screenshots, or copied transcripts, which is especially risky in an AI/automation context handling publishing credentials.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.