Security audit

Wechat Publisher

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed WeChat draft uploader, but it requires WeChat account credentials and uploads selected article files/images to WeChat.

Install only if you want an agent to create WeChat Official Account drafts from specific local files. Use environment variables or a protected local config for secrets, keep config.json and .token_cache.json out of version control, restrict file permissions where possible, and confirm the article and images before upload.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill invokes shell commands, reads and writes local files, uses environment variables for credentials, and performs network operations, yet declares no explicit permissions or trust boundaries. This can lead users or agents to run a capability-rich skill without clear consent, increasing the chance of unintended file access, credential use, or external data transmission.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly states that the skill uploads article text and images to WeChat's external service, but it does not clearly warn users that potentially sensitive content and local files will be transmitted off-system. In an agentic context, this is risky because an agent may perform the upload automatically, causing unintended disclosure of unpublished or private material.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs users to supply WX_APPID/WX_APPSECRET or config.json credentials and to use a token cache, but it provides no clear warning about secret handling, storage location, log exposure, or file permissions. In a skill that also uses shell commands and local files, this omission increases the risk of accidental credential disclosure through checked-in config files, world-readable cache files, or command/output logging.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script caches the access token in a local file under the project directory without setting restrictive file permissions or warning the user about persistence. On multi-user systems, shared workspaces, backups, or accidental commits, this token could be exposed and reused to act on the WeChat account until expiry.

Credential Access

High

Category: Privilege Escalation
Content: ## Notes - Access tokens are cached in `.token_cache.json` (auto-refreshed when expired) - WeChat only accepts images hosted on WeChat CDN — always upload images first - The draft is saved but NOT published; user must publish manually from MP backend or via `/cgi-bin/freepublish/submit` - Subscription accounts (订阅号) may have limited publishing frequency (once per day/week)
Confidence: 89% confidence
Finding: Access tokens

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal