WeChat Mini Program Builder

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate WeChat mini-program helper, but its setup instructions and file-writing scope are too unclear for automatic approval.

Review before installing. Avoid globally installing the referenced npm package unless you have independently verified it, run the tool only in a disposable project directory, use simple non-path names, and do not include secrets, customer data, internal URLs, or proprietary requirements in AI prompts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The generate_page flow sends user-supplied prompt content to a third-party AI service, which can expose sensitive business requirements, credentials, or proprietary data if users paste them into prompts. Because this is a local scaffolding tool, the network transmission meaningfully changes the trust boundary and should be explicitly disclosed and controlled.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: User-provided prompt text is forwarded directly to an external API without a clear privacy warning, confirmation step, or safeguards against accidental disclosure of secrets. This creates a realistic confidentiality risk because users may reasonably treat a code-generation helper as a local tool and provide sensitive project details.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal