Wecomcli Setup

Security checks across malware telemetry and agentic risk

Overview

This WeCom skill is purpose-related but asks an agent to install software, add other skills, read enterprise data, and perform business actions automatically with too little user control.

Install only if you are comfortable with an agent making persistent local changes and accessing your WeCom environment. Before use, require explicit confirmation for npm installs, sudo commands, adding skills from GitHub, credential initialization, contact-list queries, message sending, document changes, meeting changes, schedule changes, and todo changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill explicitly instructs the agent to automatically perform installation and then execute translated enterprise WeCom commands without asking the user. That expands a guidance/translation skill into an autonomous actor that can modify the system and perform business actions, creating clear risk of unauthorized changes and unintended message, meeting, schedule, or todo operations.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The documentation markets the skill as setup and natural-language translation, but later broadens it into a general-purpose enterprise WeChat operations assistant spanning contacts, todos, meetings, messages, schedules, and docs. This scope creep increases the chance the skill is triggered in contexts where users do not expect broad enterprise data access or actions.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill directs automatic global npm installation and even suggests retrying with sudo, which performs system modification and privilege escalation for a skill that should only guide setup or translate commands. This can change host state without consent and increases compromise impact if package resolution or command behavior is abused.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The skill automatically installs additional agent skills from GitHub using npx, expanding the code and capabilities available to the agent beyond the declared setup role. Pulling and enabling external content at runtime increases supply-chain and capability-escalation risk, especially when done without informed user consent.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The 'verification' step calls a real contact-list API rather than using a harmless self-check, which causes enterprise data access during setup. Even read-only access is sensitive here because it touches corporate directory information unrelated to proving that the CLI binary exists and is configured.

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The skill description says it translates natural language into CLI commands, but the body instructs the agent to execute those commands automatically. That mismatch undermines user expectations and can cause users to trigger real enterprise operations when they believed they were only getting command suggestions.

Vague Triggers

High

Confidence: 94% confidence
Finding: The trigger phrases are very broad, including generic requests like 'I want to operate WeCom,' which can match ordinary conversation and activate a high-privilege skill unexpectedly. Because the skill then performs automatic installation and enterprise actions, overbroad activation materially raises the chance of unintended execution.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The markdown directs automatic installation and command execution immediately on activation, without warning the user that the host system and enterprise environment may be modified. Lack of disclosure and consent is especially dangerous because the commands include package installation, credential initialization, and later business operations.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill instructs the agent to run global npm installation commands, including forced install behavior, without prior user disclosure or approval. This is dangerous because it mutates the environment, may overwrite existing tooling, and can create persistent changes on the machine outside the user's expectation.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill describes checks and verification steps that read credential-related filesystem state and enterprise contact data without a privacy warning. In the context of an enterprise communications tool, even metadata about installed credentials and directory contents is sensitive and should not be accessed silently.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal