Back to skill

Security audit

微信公众号发布工具

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real WeChat publishing tool, but it needs review because it can act on a public account, send draft content to external services, store credentials locally, and includes an unsafe shell helper.

Review before installing. Avoid scripts/publish.sh unless the eval/source behavior is fixed, pin the GitHub install to a trusted commit, use a dedicated WeChat credential with limited blast radius where possible, and disable AI humanization for confidential drafts unless you accept sending the text to the configured AI provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The module reads secrets from ~/.openclaw/.env even though this file's stated purpose is generic app configuration for the WeChat publisher. Pulling credentials from another runtime's global secret store creates an implicit trust boundary crossing and can unexpectedly import unrelated secrets into this application.

Intent-Code Divergence

Low
Confidence
74% confidence
Finding
The load() method claims to load from file and environment variables, but it also reads ~/.openclaw/.env as an additional secret source. This hidden behavior reduces transparency and can mislead users or reviewers about where sensitive configuration is coming from.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The converter accepts a caller-supplied api_endpoint and posts the full Markdown content to it, enabling arbitrary outbound network requests and data transmission beyond the component's core local conversion role. In an agent/plugin context this can become SSRF-like behavior or unauthorized exfiltration of document contents to attacker-controlled services.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The invocation examples are generic natural-language phrases like '把这篇文章发到公众号' and '帮我发布到微信,测试一下', which can easily overlap with ordinary conversation. In an agent environment, this increases the chance of accidental skill activation and unintended publication of content to a real WeChat public account, especially because the skill performs an external side effect rather than a read-only action.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README advertises automatic AI 'humanization' of article content but does not warn that article text may be sent to third-party AI providers such as OpenAI, Qwen, or others. This creates a data leakage and privacy risk because users may publish sensitive drafts, proprietary material, or personal data without realizing the content is transmitted externally for processing.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The auto-trigger conditions are broad enough to match ordinary publishing or formatting requests, which can cause the skill to activate without a clearly scoped, informed user intent. Because this skill can publish content and contact external services, overbroad triggering increases the chance of unintended network actions, accidental publication, or silent processing of sensitive content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises direct publishing and optional AI-based rewriting but does not clearly warn that article content, credentials-derived actions, and possibly image resources may be transmitted to WeChat and third-party AI providers. In a skill context, missing disclosure is risky because users may unknowingly send private drafts or sensitive business content to external services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code extracts article text and sends it to a configured external AI provider for 'humanization' without an explicit warning or confirmation at publish time. This can leak unpublished, proprietary, or sensitive content to third-party services, which is especially risky in a publishing tool where drafts may be confidential.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The save() method serializes app secrets, including WeChat app_secret and AI api_key, directly to config.yaml on disk with no warning, encryption, or permission hardening. Storing credentials in plaintext increases exposure to local compromise, backups, accidental disclosure, or unsafe file sharing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
When use_api is enabled, the full Markdown body is transmitted to an external API without any built-in disclosure, consent, or data-classification check. This can leak sensitive article content, embedded secrets, internal URLs, or unpublished material to a third party, which is especially risky in an agent skill that may process user-provided documents.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The function will fetch attacker-controlled remote URLs whenever `css_path` begins with `http://` or `https://`, which introduces SSRF-style behavior and unintended outbound network access. In a skill or agent context, this can expose internal services, leak network metadata, or cause the system to contact arbitrary hosts without explicit operator awareness.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code transmits full user-provided content to third-party AI endpoints and authenticates with an API key, but there is no consent flow, warning, redaction, or privacy guardrail in this module. In a publishing workflow, users may submit drafts containing unpublished, sensitive, or regulated data, so silent remote transmission creates a real confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The code accepts arbitrary http/https image URLs, fetches them server-side, and then uploads the resulting content to WeChat without validation, disclosure, or restriction. This creates an SSRF-style network access path and can also cause unintended transmission of third-party or internal resources to an external platform if the input is user-controlled.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.