WeChat Article Fetcher

Security checks across malware telemetry and agentic risk

Overview

This WeChat article fetcher mostly matches its purpose, but it needs review because it can load arbitrary non-WeChat URLs and persist fetched content to user-selected disk locations.

Install only if you are comfortable with the skill opening supplied URLs in a browser and saving page artifacts to disk. Prefer using it only with public mp.weixin.qq.com article links, avoid private or internal URLs, choose an output folder you can review, and consider pinning dependencies before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill documentation describes writing fetched article content and screenshots to disk, but the skill declares no permissions. This creates a capability/permission mismatch that can bypass user expectations and policy enforcement, especially because the output directory is user-controllable and examples show writing into a workspace path.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill description says it extracts article body content, but the implementation also writes a full-page screenshot and Markdown file to disk by default. This creates a data exposure risk because fetched pages may contain sensitive or unexpected content, and saving artifacts to the current working directory can persist that data beyond the immediate task without explicit user consent.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The code only warns when the URL is not on mp.weixin.qq.com, but still loads it in a real browser. This broadens the skill from a WeChat article fetcher into a general-purpose arbitrary web fetcher, which can be abused for SSRF-like access, internal network probing, or retrieval of attacker-chosen content in environments where the agent has network reachability the user should not control.

Unpinned Dependencies

Low

Category: Supply Chain
Content: DrissionPage>=4.0.0
Confidence: 92% confidence
Finding: DrissionPage>=4.0.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal