Wechat Article Search

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed WeChat article search scraper with operational and site-terms cautions, but no evidence of hidden data theft, persistence, or destructive behavior.

Install only if you are comfortable running a Node-based scraper that sends your keywords to Sogou/Weixin. Prefer a local pinned cheerio install instead of a global npm install, keep result counts modest, use real-URL resolution sparingly, avoid confidential search terms, and review output paths before saving files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The code intentionally rotates User-Agent values, harvests cookies from a different Sogou property, and tries multiple techniques to recover the final mp.weixin.qq.com URL despite anti-bot protections. That goes beyond normal search functionality and materially increases the skill's capability to evade access controls or scraping defenses, creating abuse and compliance risk even if it is not classic host-compromise behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal