Back to skill

Security audit

Maxhub Wechat

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly transparent, but it should be reviewed because it enables WeChat media downloading/decryption and broad third-party data collection with inconsistent safeguards.

Install only if you are comfortable sending WeChat URLs, search terms, account IDs, and any optional credentials to MaxHub/aconfig.cn. Treat comment/profile data, IP-region fields, media download links, and decryption keys as sensitive; use the skill only for authorized research and require explicit confirmation before any video download/decryption, bulk collection, or cross-domain account profiling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest and top-level description frame the skill as WeChat Official Accounts public-content querying, but the body expands scope to Video Channels and WeChat Search, materially broadening data access and processing. This mismatch can cause agents or reviewers to grant trust, permissions, or approvals under an incomplete understanding of what the skill actually does, increasing the risk of unintended third-party data transmission and overcollection.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document gives conflicting guidance on endpoint risk and confirmation: some sections say all 22 endpoints are risk: high and require user confirmation, while the example workflow says 'risk: low' endpoints can be called directly. Contradictory safety instructions are dangerous because agents may follow the less restrictive path and send sensitive URLs, usernames, keywords, or optional cookies to the third-party API without the intended confirmation gate.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file materially expands the skill from public WeChat Official Accounts analysis into WeChat Channels account profiling, comment access, live-history retrieval, media download, and decryption workflows. That scope expansion increases the chance an agent will access or process data beyond the declared purpose and user expectations, especially where video/media artifacts and profile/comment metadata are involved.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The documentation explicitly instructs the agent to download encrypted MP4 files and use returned decode keys or third-party/self-hosted tools to decrypt them. This facilitates extraction of protected media rather than simple metadata analysis, creating clear copyright, privacy, and misuse risk that exceeds a read-only analytics use case.

Context-Inappropriate Capability

Medium
Confidence
79% confidence
Finding
Generating outward-facing share links is an action-enabling capability that goes beyond passive query/analysis and can facilitate redistribution of content. In this context, it broadens the skill from analysis into propagation, which is not clearly disclosed by the manifest and may undermine data-minimization expectations.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The recipe index exposes video-channel and live-stream workflows that extend beyond the stated WeChat Official Accounts scope. This scope expansion increases the chance that an agent will access or correlate additional media, author, or engagement data without the user clearly understanding that broader collection is in play, creating privacy and authorization-boundary risk.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The chain graph explicitly encourages identity pivoting from article-derived usernames into video, collection, and live-profile exploration across domains. Even if each endpoint is individually read-only, chaining them can materially increase profiling capability and enable data aggregation beyond the original user request, which is especially sensitive given the skill's own note about privacy-sensitive media and comment data.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The recipe explicitly supports fetching video details that include downloadable media and decryption keys, which goes beyond ordinary public-content search/analysis and enables access facilitation for protected media. In this skill context, that is especially risky because the metadata already notes privacy and copyright sensitivity, yet the workflow exposes the capability as a normal search path without authorization checks or minimization guidance.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The documentation explicitly describes a workflow to obtain a video's `full_url` and `decode_key` and then decrypt downloaded media. That goes beyond a read-only search/analysis posture and materially lowers the barrier to copying protected media, creating clear copyright, privacy, and misuse risk if an agent follows the chain automatically.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Recipe selection is driven by broad trigger-keyword scanning with longest-match heuristics, but there are no narrow activation constraints, negative examples, or exclusions. That makes overbroad or ambiguous activation more likely, which can cause the agent to select a data-exfiltrating workflow for loosely related user requests and transmit unnecessary user data to the external service.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The file documents access to profile, comment, live, and media-related data while labeling the risk as high, but it does not provide explicit operational safeguards for privacy-sensitive handling at the point of use. Without clear warnings and minimization rules, an agent may over-collect, expose, or retain personal or sensitive metadata such as commenter nicknames, IP region, and account profiling data.

Missing User Warnings

High
Confidence
96% confidence
Finding
The decryption section directs use of third-party and self-hosted tooling on encrypted media without any warning about trust boundaries, handling of potentially sensitive files, or legal/authorization constraints. This can lead users or agents to exfiltrate media to untrusted services or process protected content outside approved environments.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This section documents retrieval of article comments and replies, including potentially sensitive user-generated fields such as nicknames, comment text, and IP attribution, but does not pair those capabilities with concrete privacy-use constraints, consent requirements, or minimization guidance at the endpoint level. In a skill intended for agentic use, that omission can lead downstream agents to over-collect or expose personal data during normal operation.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The introductory section identifies a third-party base URL and describes article/account lookup flows, but does not clearly disclose at the point of use that user-supplied article URLs, usernames, and related identifiers will be transmitted to an external service. That gap can cause unintentional disclosure of user-provided targets or research interests, especially when the skill is used in automated chains.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Several trigger phrases remain broad conversational terms such as '看评论', '谁发的', and '历史文章', which can match common user language in unrelated contexts. In an orchestration file, over-broad triggers can cause unintended API calls, retrieving sensitive comments, profile data, or linked content that exceeds user intent and undermines data minimization.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation advertises that `video_detail` includes media download capability and decryption keys but provides no warning, restriction, or handling requirements. That omission normalizes sensitive access and increases the chance an agent or user will retrieve and misuse protected media or keying material without considering legal, privacy, or copyright boundaries.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The same section documents downloading and decrypting video content but provides no warning about privacy, copyright, authorization, or downstream handling obligations. In an agent skill, operational instructions without safety guardrails can cause automated misuse at scale, especially when chained from search to retrieval to decryption.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The file presents cross-reference search and chaining behavior that sends search keywords and derived identifiers such as usernames and export IDs to an external service, but does not clearly warn that this transmits potentially sensitive user/content metadata off-platform. That omission can lead agents to disclose research targets, monitored accounts, or other sensitive query context to a third party without informed consent or minimization.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The guidance makes a China-specific service the default recommendation in update instructions without explicit user opt-in or jurisdiction/privacy caveats. In a skill that handles media, comment, and potentially sensitive public-account data, steering users toward a region-specific registry can create privacy, compliance, and trust-boundary risks if users are not clearly informed of where metadata or downloads are sourced.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.