企业微信通知提醒

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Enterprise WeChat webhook notification skill with a small privacy/logging risk but no hidden or purpose-mismatched behavior.

Install only if you want the agent to send messages to an Enterprise WeChat group. Keep the webhook key private, avoid sensitive content in logged commands or scheduled tasks, review cron reminders after creating them, and be careful with broad mentions such as @all.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script prints the full JSON payload before sending it and includes the webhook key in the request URL, which can expose sensitive message contents and credentials through terminal logs, CI logs, shell history capture, process monitoring, or debugging output. In an agent or automation context, this is more dangerous because logs are often centralized and accessible to multiple users or systems, increasing the blast radius of accidental disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal