Back to skill

Security audit

阿淼发公众号

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real WeChat publishing helper, but it can use account credentials to publish externally and includes paths that reduce or bypass final user confirmation.

Review before installing. Use only with WeChat accounts you control, avoid Turbo or any auto-submit path until you trust the workflow, require a confirmation before publishing, inspect the full runtime before giving it credentials, and keep .env files, token caches, saved drafts, and publish logs out of shared or synced locations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger list includes broad phrases like '写完发一下' and '帮我发到公众号,' which can cause accidental activation for a high-impact action: publishing content to an external account. In an agent environment, overly permissive routing to a publish-capable skill raises the risk of unintended posting or confusing this skill with a drafting-only request.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Turbo mode explicitly skips pre-publish confirmation and auto-proceeds with publication, which weakens a critical safeguard for an externally visible action. In the context of a skill that can post to an official WeChat account, this materially increases the chance of accidental, unauthorized, or insufficiently reviewed publication.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The FSM states that plain text input is automatically saved as markdown to a predictable local path, but does not require user notice or consent. In this skill's context, users may paste unpublished article drafts, sensitive campaign content, or regulated material, so silent persistence can create confidentiality and data-retention risk.

Ssd 3

Medium
Confidence
89% confidence
Finding
The skill specifies persistent per-publish logging of account aliases, article titles, keywords, quality scores, and related metadata to a local YAML file. Even without storing full article bodies, this creates a durable audit trail of potentially sensitive editorial activity and account information that could be exposed through weak local file protections, backups, or multi-user environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.