微信公众号自动发布

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it can publish live WeChat posts using saved account cookies with limited safety gates.

Install only if you intentionally want this skill to operate a real WeChat Official Account. Use --draft first, review the article and generated cover manually before live publishing, protect or delete ~/.wechat_mp/cookies.json when not needed, avoid untrusted content files, and consider pinning the Playwright dependency.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (9)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README encourages direct publication to a live WeChat public account and explicitly says omitting --draft will publish immediately, but it does not warn about the irreversible or externally visible effects of publishing. In an automation skill, this increases the risk of accidental public posting, reputational harm, or unintended dissemination if a user misunderstands the command or runs a copied example unchanged.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation states that login cookies are automatically saved to ~/.wechat_mp/cookies.json but does not warn that these cookies are sensitive session artifacts that can grant account access if stolen. Users may leave the file with weak filesystem permissions, include it in backups, or expose it on multi-user systems, increasing the chance of account compromise.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill automates actions against a live WeChat Official Account, including saving drafts and directly publishing content, but the description does not prominently warn that it can change public-facing account content and account state. Users may invoke it without understanding that it performs irreversible or high-impact account actions, increasing the risk of accidental publication, reputation damage, or account misuse.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill advertises persistent cookie reuse for login convenience but does not clearly warn that authentication cookies are stored locally and may grant access to the WeChat account if stolen. Because these cookies are long-lived and tied to an account capable of publishing content, insecure local storage can lead to account takeover or unauthorized publishing.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation includes a direct publish command for a public WeChat account without clearly warning that it can immediately post content live rather than saving a draft. In an automation skill that targets a real publishing platform, this omission increases the chance of accidental public posting, reputational damage, and unintended dissemination of content.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill advertises automatic cookie reuse for persistent login but does not warn that stored session cookies are sensitive authentication material. If those cookies are copied, exposed, or left unprotected on disk, another party may gain access to the associated WeChat publishing account without re-authentication.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script persistently stores authenticated WeChat MP session cookies in a predictable file under the user's home directory without encryption, restrictive permission handling, or an explicit warning/consent flow. If another local user, malware, backups, or misconfigured file permissions expose that file, an attacker could reuse the session to access and publish from the account.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script can directly publish content once invoked, with no final user confirmation immediately before the irreversible publish action. In an automation context, mistaken inputs, prompt injection in upstream agent chains, or accidental execution could cause unauthorized or unintended public posts on an official account.

Unpinned Dependencies

Low

Category: Supply Chain
Content: playwright>=1.40.0
Confidence: 92% confidence
Finding: playwright>=1.40.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal