Back to skill

Security audit

WeChat Article Video

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent article-to-video workflow, but one TTS provider can send API keys and narration to an unvalidated custom endpoint.

Install only if you are comfortable with a local workflow that runs scripts, creates and overwrites media outputs, fetches runtime tools, and sends narration text to selected TTS providers. Do not set MIMO_BASE_URL to an untrusted host, and use provider API keys only in a trusted environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Tainted flow: 'base_url' from os.environ.get (line 112, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
# Token Plan 用户应使用其专属 Base URL;普通 API 用户可通过 MIMO_BASE_URL 覆盖。
    base_url = os.environ.get("MIMO_BASE_URL", "https://token-plan-cn.xiaomimimo.com/v1").rstrip("/")
    resp = requests.post(
        f"{base_url}/chat/completions",
        # MiMo V2.5 的 OpenAI 兼容接口支持 Bearer 鉴权;使用标准形式以兼容 SDK 与网关。
        headers={"Authorization": f"Bearer {api_key}", "Content-Type": "application/json"},
Confidence
95% confidence
Finding
resp = requests.post( f"{base_url}/chat/completions", # MiMo V2.5 的 OpenAI 兼容接口支持 Bearer 鉴权;使用标准形式以兼容 SDK 与网关。 headers={"Authorization": f"Bearer {api_key}", "Content-Type"

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs an agent to read and write local files, execute shell/Python/Node commands, access environment variables for API keys, and make outbound network calls to TTS services, yet it does not declare permissions or boundaries in a machine-readable way. This is dangerous because an orchestrating agent or user may invoke it without understanding the full capability scope, increasing the chance of unintended file modification, credential exposure, or external data transfer.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger text uses broad phrases like converting any article/material to video and references multiple generic scenarios, making the skill easy to invoke outside narrowly intended contexts. Over-broad triggering is risky because it can cause an agent to run a powerful pipeline with shell, file, and network side effects on loosely related user requests, especially when the skill is framed as usable by many agent runtimes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation directs the agent to execute scripts, write multiple output artifacts, and call external TTS/rendering tools and APIs, but it does not prominently require user consent or warn that article content, assets, and possibly sensitive material may be transmitted to third-party providers. This is dangerous because users may unknowingly expose copyrighted, confidential, or regulated content and incur costs while the agent performs irreversible side effects like file creation and API-backed processing.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script invokes ffmpeg with -y, which forces overwrite of the destination file without confirmation, and it also creates .caption_work artifacts automatically. In an agent-executed skill context with read/write and shell capabilities, this can cause unintended data loss or clobber existing files if paths are wrong or user intent is misinterpreted.

External Transmission

Medium
Category
Data Exfiltration
Content
# Token Plan 用户应使用其专属 Base URL;普通 API 用户可通过 MIMO_BASE_URL 覆盖。
    base_url = os.environ.get("MIMO_BASE_URL", "https://token-plan-cn.xiaomimimo.com/v1").rstrip("/")
    resp = requests.post(
        f"{base_url}/chat/completions",
        # MiMo V2.5 的 OpenAI 兼容接口支持 Bearer 鉴权;使用标准形式以兼容 SDK 与网关。
        headers={"Authorization": f"Bearer {api_key}", "Content-Type": "application/json"},
Confidence
94% confidence
Finding
requests.post( f"{base_url}/chat/completions", # MiMo V2.5 的 OpenAI 兼容接口支持 Bearer 鉴权;使用标准形式以兼容 SDK 与网关。 headers={"Authorization": f"Bearer {api_key}", "Content-Type": "applicat

Env Variable Harvesting

High
Category
Data Exfiltration
Content
messages.append({"role": "assistant", "content": text})

    # Token Plan 用户应使用其专属 Base URL;普通 API 用户可通过 MIMO_BASE_URL 覆盖。
    base_url = os.environ.get("MIMO_BASE_URL", "https://token-plan-cn.xiaomimimo.com/v1").rstrip("/")
    resp = requests.post(
        f"{base_url}/chat/completions",
        # MiMo V2.5 的 OpenAI 兼容接口支持 Bearer 鉴权;使用标准形式以兼容 SDK 与网关。
Confidence
93% confidence
Finding
os.environ.get("MIMO_BASE_URL", "https://token

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.