Back to skill

Security audit

微信搜索

Security checks across malware telemetry and agentic risk

Overview

This appears to be a WeChat search skill, but it automatically sends queries to an external API and saves full search outputs locally without clear opt-in controls.

Install only if you are comfortable with WeChat search terms being sent to the provider service and saved locally as result logs. Avoid sensitive or confidential searches unless the skill adds a clear no-log mode, narrower trigger rules, and accurate documentation of supported article/video-only behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The documentation describes a simple WeChat search tool, but also states that outputs are automatically written to local log files and implies remote token-gated service interaction, while omitting these behaviors from the high-level description. This mismatch can cause users or calling agents to send sensitive search terms or token-backed queries without understanding that data will be persisted locally and transmitted to a third party.

Description-Behavior Mismatch

Medium
Confidence
79% confidence
Finding
Claiming image-search support when only article and video interfaces are exposed is a deceptive interface inconsistency. While not directly exploitable like code injection, it can mislead agents into invoking unsupported functionality and trusting the skill's stated capabilities beyond what is actually implemented.

Intent-Code Divergence

Low
Confidence
83% confidence
Finding
The skill states that search results are auto-saved to a local logs directory, but this write behavior is not clearly surfaced as part of the tool contract. Search keywords and returned content may contain sensitive business interests, investigations, or user data, and silent persistence increases exposure through local file retention and later unauthorized access.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The utility persists search-related content to local disk under a logs directory, which expands the skill from real-time retrieval into local data retention. If search queries or returned content contain sensitive or regulated information, this creates unnecessary data-at-rest exposure and may violate user expectations or platform scope constraints.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The LLM trigger conditions are broad enough that an agent could invoke the skill for loosely related requests involving WeChat content, potentially sending user prompts or keywords to an external service without sufficiently specific consent. In an agentic setting, over-broad invocation rules increase the chance of unintended data disclosure and unnecessary third-party calls.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill does not prominently warn users that their searches are logged locally by default. This is dangerous because search queries may reveal confidential research topics, internal investigations, or personal interests, and undisclosed logging creates avoidable privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script writes the full search output, including user-supplied keywords and returned results, to a local JSON file without any opt-in or warning. This can create unintended persistence of potentially sensitive queries or content on shared systems, making later disclosure through local access, backups, or log collection more likely.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The CLI writes the full search output to a local JSON file using a filename derived from the user's keyword, without any visible notice or opt-in at the interface level. In a search tool, results and keywords may contain sensitive user interests or retrieved content, so silent persistence increases privacy and data-retention risk on shared systems or agent hosts.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.