Wechat Mp Editor

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill is mostly coherent for WeChat article management, but it can use account credentials to upload drafts and publish public content without clear approval gates.

Install only if you trust the publisher with your WeChat Official Account workflow. Use a dedicated least-privilege account or token if possible, keep app secrets out of plain files and logs, review every article and image before upload, and require explicit confirmation before draft updates or freepublish submission.

SkillSpector (14)

By NVIDIA

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill clearly instructs use of sensitive capabilities including credential access, local file read/write, and outbound network calls, but no declared permissions are provided. This creates a governance gap: the agent may be granted more effective power than users or reviewers are warned about, especially because the workflow includes publishing and credential handling.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 79% confidence
Finding: The documented behavior extends beyond straightforward WeChat article management into brand-specific editorial policy enforcement and auxiliary image-generation workflow. That mismatch can mislead reviewers and users about what the skill may do, reducing informed consent and increasing the chance of unexpected actions or data flows.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The workflow expands from editing/publishing WeChat articles into external topic discovery via ClawHub/GitHub Trending. This broadens network reach and data exposure beyond the stated purpose, which is risky because it can trigger unanticipated external access and content sourcing.

Description-Behavior Mismatch

Medium

Confidence: 83% confidence
Finding: The skill includes image-prompt generation through dreamina-cli, which is outside the core WeChat API editing/publishing role. This adds extra execution surface and potential third-party interaction not obvious from the skill description, increasing supply-chain and misuse risk.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Using an external CLI introduces additional execution capability and trust assumptions that are not justified by the stated role of a WeChat editor. Any CLI dependency can widen the attack surface through local command execution, unexpected filesystem access, or indirect network activity.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill handles credentials, writes files, performs API calls, uploads media, updates drafts, and can publish content, yet it does not provide an explicit warning or consent checkpoint for these data-affecting actions. In context, this is more dangerous because publishing and credential use can have real external consequences on a live WeChat account.

External Transmission

Medium

Category: Data Exfiltration
Content: #### 提交后立即回读验证 ```python resp = requests.post(".../draft/get?...", json={"media_id": draft_id}) content = resp.json()["news_item"][0]["content"] # 必须验证的内容
Confidence: 72% confidence
Finding: requests.post(".../draft/get?...", json=

External Transmission

Medium

Category: Data Exfiltration
Content: **Body images** (`/cgi-bin/media/uploadimg`): ```bash curl -s -F "media=@image.png" "https://api.weixin.qq.com/cgi-bin/media/uploadimg?access_token=***" ``` Returns `{"url": "http://mmbiz.qpic.cn/..."}`.
Confidence: 80% confidence
Finding: curl -s -F "media=@image.png" "https://api.weixin.qq.com/cgi-bin/media/uploadimg?access_token=***" ``` Returns `{"url": "http://mmbiz.qpic.cn/..."}`. **Cover image** (`/cgi-bin/material/add_material`

External Transmission

Medium

Category: Data Exfiltration
Content: ### 2. Get token `GET https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=APPID&secret=***` Returns `access_token`, valid 2h.
Confidence: 78% confidence
Finding: https://api.weixin.qq.com/

External Transmission

Medium

Category: Data Exfiltration
Content: **Body images** (`/cgi-bin/media/uploadimg`): ```bash curl -s -F "media=@image.png" "https://api.weixin.qq.com/cgi-bin/media/uploadimg?access_token=***" ``` Returns `{"url": "http://mmbiz.qpic.cn/..."}`.
Confidence: 80% confidence
Finding: https://api.weixin.qq.com/

External Transmission

Medium

Category: Data Exfiltration
Content: **Cover image** (`/cgi-bin/material/add_material`): ```bash curl -s -F "media=@cover.png" "https://api.weixin.qq.com/cgi-bin/material/add_material?access_token=***&type=image" ``` Returns `{"media_id": "..."}`. **封面图必须 1:1 方形**，否则报 53402。
Confidence: 80% confidence
Finding: https://api.weixin.qq.com/

External Transmission

Medium

Category: Data Exfiltration
Content: json.dump(payload, f, ensure_ascii=False) # ensure_ascii=False 是必须的 ``` ```bash curl -s -X POST "https://api.weixin.qq.com/cgi-bin/draft/add?access_token=***" \ -H "Content-Type: application/json; charset=utf-8" \ --data-binary @/tmp/draft.json ```
Confidence: 86% confidence
Finding: https://api.weixin.qq.com/

Credential Access

High

Category: Privilege Escalation
Content: --- name: wechat-mp-editor description: "Create, edit, and manage WeChat Official Account (公众号/服务号) articles via the official WeChat API. Handles access token management, image uploads, draft CRUD, publishing, and HTML content formatting with WeChat-compatible CSS. Trigger when the user asks to: write/edit WeChat articles, create/publish drafts, format WeChat push notifications, generate article HTML, or manage WeChat MP drafts through the API." --- # WeChat MP Editor
Confidence: 89% confidence
Finding: access token

Credential Access

High

Category: Privilege Escalation
Content: ## Overview Full workflow: credentials → access token → image upload → draft creation → publishing. **One fixed template** — visual branding consistent. Only content (text, date, banner) changes.
Confidence: 90% confidence
Finding: access token

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal