Security audit

qywx-notify

Security checks across malware telemetry and agentic risk

Overview

The skill does its stated WeCom notification job, but it exposes webhook secrets and message contents through logs and command responses.

Install only if you are comfortable with local or centralized logs and skill outputs potentially containing the WeCom webhook URL and notification contents. Treat the webhook URL like a password, avoid sending sensitive messages through this version, and rotate the webhook if it has already run in an environment where logs or command outputs are shared.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (5)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill logs the full outbound request body before transmission, which includes the notification content and any embedded image URLs or mentions. In a notification skill, message bodies may contain operational alerts, secrets, incident details, or personal data, so writing them to logs creates an unnecessary secondary disclosure channel.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The constructor logs the entire config object, and that config can contain defaultWebhook, which is effectively a secret-bearing destination URL. Exposing webhook URLs in logs can let anyone with log access reuse the webhook to send unauthorized messages to the target WeCom group.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The config command returns the full runtime configuration object while also computing a masked webhook, which strongly suggests the unmasked defaultWebhook may be exposed to callers. Because webhook URLs function as bearer-style secrets for posting messages, disclosure can directly enable unauthorized notification spoofing.

Ssd 3

Medium

Confidence: 95% confidence
Finding: On both success and failure, the method returns request details including content, image, and in error cases the original params object, which may include the raw webhook. This can leak sensitive user-supplied data through API responses, downstream logs, or UI surfaces that display skill output.

Ssd 3

Medium

Confidence: 99% confidence
Finding: This config handler exposes the full config object even though a maskedWebhook field is separately provided, meaning the secret-bearing webhook may still be disclosed. In this skill's context, that is especially dangerous because possession of the webhook is sufficient to send messages into the organization's chat channel.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal