向企业微信发送消息

Security checks across malware telemetry and agentic risk

Overview

This skill appears to send Enterprise WeChat messages as advertised, but it gives the agent broad ability to transmit chosen text and local or remote image contents to webhook URLs, with weak scoping and default mass mentions.

Review before installing. Use this only if you want the agent to post to Enterprise WeChat webhooks, treat webhook URLs as secrets, verify every webhook destination, avoid sending credentials or sensitive local files, and consider modifying the script so @all mentions are opt-in and image inputs are limited to trusted image files or approved URLs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill documents outbound network behavior to Enterprise WeChat webhooks, but no explicit permission declaration is present. In an agent environment, undeclared network capability reduces transparency and can cause users or orchestrators to approve execution without realizing data will leave the local context.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented purpose understates important behaviors: downloading arbitrary image URLs, reading local files, defaulting text mentions to @all, and rewriting long messages through chunking. These extra capabilities materially change the security posture because they enable unexpected data exfiltration from local paths or remote fetches and can amplify operational impact by notifying all recipients.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The image handler accepts arbitrary HTTP(S) URLs and fetches them server-side before forwarding the image, which introduces SSRF-style behavior unrelated to simply formatting and sending WeCom messages. An attacker who can control the image path can force the runtime to make outbound requests to internal services, cloud metadata endpoints, or other sensitive network locations.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The image processor reads any local file path provided by the caller and base64-encodes it for transmission, creating an arbitrary file read and exfiltration path. In an agent environment, this can expose secrets such as configuration files, SSH keys, tokens, or other sensitive local data under the guise of sending an image.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: All text messages forcibly include mentioned_list and mentioned_mobile_list set to @all, causing every text send to become a mass notification. This exceeds the stated functionality of a generic message-sending skill and can be abused for spam, alert fatigue, and disruptive broad notifications in production chat groups.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explains how to send messages but does not prominently warn that supplied text, image paths/URLs, and article links are transmitted to an external webhook endpoint. This can mislead users into pasting sensitive internal content or local file references without understanding that the data will leave the current trust boundary.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Allowing arbitrary custom webhook URLs without a strong warning expands the trust boundary from Enterprise WeChat to any attacker-controlled endpoint. A user could be induced to provide a malicious webhook, causing confidential messages or fetched resource contents to be exfiltrated to an untrusted third party.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The usage examples explicitly demonstrate sending arbitrary message content to an external Enterprise WeChat webhook, including a custom webhook URL, but do not clearly warn that this transmits potentially sensitive data outside the agent/runtime boundary. In an agent skill context, users may paste operational data, alerts, or internal details into these examples, creating a real risk of unintended data exfiltration to a third-party endpoint if the webhook is misconfigured, attacker-controlled, or shared insecurely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal