Back to skill

Security audit

Wechat Mp Auto

Security checks across malware telemetry and agentic risk

Overview

This WeChat automation skill mostly matches its purpose, but it needs review because some safety modes, credential handling, and account-changing helper functions are broader than the main instructions make clear.

Install only for a WeChat public account you are comfortable automating. Use dedicated WeChat and provider credentials, review generated content and images before public posting, avoid check-only mode for sensitive drafts unless network/media side effects are acceptable, and clear or protect ~/.config/wechat-mp-auto, ~/.cache/wechat-mp-auto, and relevant OpenClaw credential files on shared machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (32)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code reads credentials from a host-wide ~/.openclaw/.env file, which reaches outside the skill's own configuration boundary and may access unrelated secrets stored for other tools or workflows. In an agent skill context, silently harvesting secrets from shared global locations increases the chance of unauthorized credential use and violates least-privilege expectations.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script documents `--check-only` as a non-pushing safety mode, but code paths still perform networked actions such as content review, cover/image search, remote image downloads, and URL reachability checks. This can violate operator expectations, trigger unintended outbound requests, leak article contents or metadata to third-party services, and cause SSRF-style access to attacker-controlled URLs embedded in content.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The help text promises that `--check-only` will only perform checks and not push, but the implementation still reaches external systems during checking. In a security context, misleading safety flags are dangerous because users may run the mode on sensitive content assuming no data leaves the host, while the script still makes outbound requests and may download attacker-supplied resources.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The draft-management skill unexpectedly performs network fetches to arbitrary image URLs, writes downloaded content to local cache files, and invokes another skill to upload that content. This expands the skill's trust boundary beyond draft operations and can enable SSRF-style outbound requests, unreviewed data exfiltration to a third-party API, and persistent local file writes triggered by article content rather than an explicit user action.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The AWS Bedrock code comments state that authorization behavior exists, but the implementation sends no AWS SigV4 signature and does not actually use the retrieved credential in the request. This mismatch can mislead operators into believing requests are authenticated when they are not, causing silent failure or encouraging unsafe deployment behind permissive gateways.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The Tencent method claims HMAC-SHA1 authentication but never computes or attaches a signature, and the api_key parameter is unused. This creates a dangerous discrepancy between documented and actual behavior, leading callers to assume authenticated requests are being made when they are not.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill enumerates models and reads API credentials from external OpenClaw configuration and credential files, then uses them to contact third-party services. In a plugin/skill context, this expands privilege beyond the skill's declared scope and can cause use of unrelated accounts without clear user consent.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill contains explicit watermark-removal logic, including detection and cropping of corner marks and removal of semi-transparent overlays. In an image-processing skill for publishing, this functionality is not necessary for normal resizing/compression and materially increases abuse potential by enabling copyright or attribution stripping.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The function reads WECHAT_APP_ID and WECHAT_APP_SECRET directly from environment variables without any user-facing disclosure, consent flow, or boundary indicating when secret material will be consumed. While common in CLI tooling, this is security-relevant in an agent skill because the skill can access host secrets implicitly and users may not expect credential collection.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code parses a .env file for credentials without any disclosure to the user that local secret files will be inspected. In an agent setting this is dangerous because .env files often contain broader secrets than needed, and silent file-based secret access can exceed the intended trust boundary.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code persists `app_id` and `app_secret` directly to `~/.config/wechat-mp-auto/config.json` in plaintext, with no permission hardening, encryption, or user warning that secrets will be stored locally. If the host is multi-user, backed up insecurely, or compromised by other local processes, these credentials can be exposed and abused to access the WeChat MP integration.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill sends article-derived text to the Tavily external search API without any explicit consent, warning, or disclosure to the user. Because article content may contain unpublished, proprietary, or sensitive material, this creates a real confidentiality and privacy risk through third-party transmission.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill stores article excerpts persistently in a local history file without warning or consent. Since the saved title field is actually populated with the first 500 characters of content, sensitive article text may be retained on disk and later exposed to other local users, backups, or forensic recovery.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When auto_upload_thumb is enabled, the code downloads remote content and writes it to the user's home cache directory without any explicit warning, confirmation, or strong validation. That makes side effects opaque to the caller and increases the risk of unexpected disk usage, retention of untrusted files, and processing of attacker-controlled remote resources.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code reads API keys from local credential storage and then uses them for provider access without any user-facing disclosure or consent prompt. In an agent skill environment, silent credential consumption is security-relevant because users may not expect a content-generation feature to access unrelated saved secrets.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Model probing automatically sends authenticated requests to external image-generation providers to test capability, without clear user disclosure. Even though the probe prompt is minimal, it still triggers billable third-party API calls and reveals that the user has configured specific provider accounts and endpoints.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The image generation paths transmit user prompts and article-derived content to external providers, but the code shows no explicit privacy warning or consent flow. In a publishing workflow, prompts may contain proprietary, sensitive, or unpublished content, so silent third-party transmission is materially risky.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
User-supplied topics and keywords are transmitted to Tavily without any visible disclosure, consent gate, or privacy control in the skill. If users provide sensitive research subjects, proprietary plans, or personal data, that information is sent to a third-party search provider and may be logged or retained externally.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill forwards the full user query to DuckDuckGo over the network without any user-facing warning or consent mechanism. In an agent setting, this can silently leak sensitive user intent, internal project names, or confidential topics to an external service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Baidu fallback sends user queries to an external service without disclosure or opt-in. Because this is a lower-priority automatic fallback, users may be unaware that failed searches on one provider cause their query to be sent to additional third parties, increasing privacy and compliance risk.

Natural-Language Policy Violations

Medium
Confidence
79% confidence
Finding
The hard-coded Accept-Language header forces a Chinese locale for Baidu requests without user choice. While not a direct exploit primitive, it can disclose assumptions about user region/language preferences and may affect how user data is handled by the remote service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill persists follower/user information, including identifiers and profile data, to a local file under the user's home directory without any visible consent, retention control, or file-permission hardening. This creates a privacy and data-exposure risk because other local processes or users may access the cache, and sensitive follower data may remain on disk longer than intended.

Ssd 3

Medium
Confidence
96% confidence
Finding
Persisting portions of user/article content to disk creates a clear data retention risk, especially because the implementation stores the first 500 characters of article content. In a content-review skill, inputs are likely to include drafts or unpublished material, making unauthorized local disclosure more harmful than in a public-only context.

External Transmission

Medium
Category
Data Exfiltration
Content
url = f"https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid={self.app_id}&secret=***"
            
            response = requests.get(
                f"https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid={self.app_id}&secret={self.app_secret}",
                timeout=10
            ).json()
Confidence
84% confidence
Finding
https://api.weixin.qq.com/

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Core
requests>=2.28.0
PyYAML>=6.0

# Image Processing (optional but recommended)
Confidence
91% confidence
Finding
requests>=2.28.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.