Back to skill

Security audit

claude-wechat-bridge-with-files

Security checks across malware telemetry and agentic risk

Overview

The skill clearly discloses its WeChat bridge purpose, but it adds a high-impact proactive messaging path that reuses stored credentials without strong user controls.

Install only if you intentionally want Claude/OpenClaw to read WeChat conversations and attachments and to send proactive WeChat messages from a bound account. Use a dedicated WeChat account, pin the third-party npm version, avoid sending secrets, review wsend.js before use, and do not enable the media patch or proactive sender unless you accept stored credentials, local media retention, and outbound messaging without built-in per-message approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script explicitly implements a standalone outbound sender that reuses stored credentials and sends messages independently of the normal inbound-driven bridge flow. That is a material capability expansion from a bridge/setup skill and creates a covert message-sending path that can be abused to impersonate the bot account or send unauthorized messages.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code loads token/baseUrl from ~/.wechat-claude/accounts and context tokens from ~/.wechat-claude/last-context.json, then uses them to send arbitrary outbound messages. Reusing persisted secrets and session context without explicit consent enables unauthorized messaging, cross-session abuse, and silent use of local credentials beyond the advertised bridge purpose.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The inline documentation states that the tool 'bypasses' an inbound-first restriction, indicating the feature is designed to circumvent an expected control boundary. Even if technically functional, intentionally working around platform flow restrictions increases the chance of policy violation, unauthorized use, and abuse of a messaging channel in ways operators may not expect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly promotes unsolicited outbound WeChat messaging by reusing stored account credentials to send messages without prior inbound user context, but it does not present any privacy, consent, or misuse warning. In a messaging bridge skill, this increases the risk of covert notifications, unintended disclosure of task outputs, and operator misuse of a personal messaging account for silent data transmission.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code automatically downloads inbound media attachments to a local temporary directory and then exposes the resulting file paths downstream, but there is no visible consent, disclosure, or policy gate in this flow. In a bridge that moves WeChat content into another agent environment, silent persistence of user-supplied files increases privacy risk and can retain sensitive content longer than users expect.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The bridge forwards message content and sender identifiers over the MCP notification channel without any filtering, redaction, or visible notice. This creates a cross-system data exposure path where private chat content and metadata are transferred into Claude Code tooling, potentially broadening access beyond the original messaging context.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script reads local account and context data and transmits messages over HTTP without any user-facing warning, consent prompt, or confirmation of the destination. In a skill context, that creates a quiet data-transfer path using local credentials, which can lead to unauthorized outbound communication and misuse of sensitive local state.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The comments openly describe bypassing an inbound-message restriction, which signals intentional circumvention of a control designed to limit when messages may be sent. In practice, this can enable unauthorized proactive messaging and makes the tool more dangerous because the circumvention is documented and normalized rather than accidental.

Ssd 3

High
Confidence
98% confidence
Finding
This section explicitly documents bypassing the wrapper's inbound-message prerequisite and using stored account credentials to send arbitrary proactive messages via WeChat. That creates a real abuse path for unauthorized outreach, spam, phishing, impersonation, and privacy violations if the skill or host is misused or compromised.

Ssd 3

Medium
Confidence
97% confidence
Finding
User message text and local filesystem paths to downloaded media are forwarded verbatim to another channel, which can leak both sensitive conversation contents and internal path information. In this skill's context, the bridge is explicitly designed to move WeChat data into an external agent workflow, so unredacted forwarding materially increases the chance of privacy leakage, unintended retention, and downstream misuse.

Ssd 4

High
Confidence
97% confidence
Finding
The comments describe a concrete method to bypass a messaging system's inbound-only restriction by reusing stored credentials and persisted context, which is a stepwise circumvention pattern. In the context of an agent skill, this is especially risky because it equips the skill with an unauthorized communication channel that can operate outside expected session boundaries and potentially against platform rules.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.