wechat-publish-pro

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it needs review because it can use WeChat credentials to create external drafts and includes unsafe helper-script and secret-handling behavior.

Install only if you trust the publisher and are comfortable giving this tool WeChat official account credentials. Prefer explicit CLI commands over broad chat requests, review generated drafts before public release, avoid sensitive unpublished content unless you understand the network/API paths, protect or avoid the plaintext config file, and avoid scripts/publish.sh until its eval and env-file sourcing behavior are fixed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The README suggests very broad natural-language triggers such as '把这篇文章发到公众号' and '帮我发布到微信，测试一下' for an agent-integrated publishing action. In an agent environment, vague everyday phrases can cause accidental invocation of a capability that performs external publication using stored credentials, increasing the risk of unintended drafts or content transmission to WeChat.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README instructs users to configure AppID/AppSecret and publish to a WeChat draft box, but it does not clearly warn that article content and metadata will be sent over the network to an external third-party platform. In a skill context, this omission can mislead users about the privacy and publication consequences of using the tool, especially if sensitive drafts are processed through agent workflows.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The auto-trigger conditions are broad enough to match ordinary user requests such as publishing an article or testing a WeChat connection, which can cause the skill to activate without clear user intent. Because this skill publishes content to an external WeChat service, unintended activation could lead to accidental content transmission or draft creation using configured credentials.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The example phrases are generic conversational requests and could be interpreted during normal chat, increasing the risk of accidental skill activation. In a publishing skill with external side effects, that can result in unintentional conversion, connection testing, or uploading content to a third-party platform.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The description emphasizes direct publishing but does not clearly warn that article text, images, and metadata may be transmitted to WeChat's external service. Users may not understand the data-flow or privacy implications, which is especially important for unpublished, sensitive, or proprietary content.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The content explicitly promotes 'one-click publish to draft box' for a WeChat account but does not warn users that this action may upload content and media to an external third-party platform. In an agent skill context, omission of publication side effects can mislead users into triggering external data transfer or account actions without informed consent.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script builds a shell command string from user-controlled inputs (`file`, `title`, `cover`) and executes it with `eval`, which can lead to command injection if quoting is bypassed or shell metacharacters are introduced. In a publishing skill context, these parameters are expected to come from users or upstream automation, so using `eval` materially increases risk of arbitrary command execution on the host.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code persists WeChat app credentials to ~/.wechat-publish-pro/config.yaml in plaintext without setting restrictive file permissions or providing any warning that secrets are being stored on disk. If the local filesystem is accessible to other users, backup systems, or malware, these credentials can be recovered and abused to access the associated WeChat account.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: When `use_api` is enabled, the converter sends the full Markdown content to a remote endpoint, which may include sensitive text, embedded secrets, or internal URLs. This file contains no user-facing consent, warning, allowlist, or data-classification check before transmission, so users can unknowingly exfiltrate content to a third party or attacker-controlled custom endpoint.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The function accepts arbitrary `http://` or `https://` URLs and fetches them server-side, which can enable SSRF-style behavior if untrusted input reaches `css_path`. Even without advanced request features, this permits outbound network access to attacker-chosen hosts and may expose internal services, metadata endpoints, or create unwanted network side effects.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code accepts arbitrary remote image URLs and fetches them server-side before uploading the content to WeChat. This creates an SSRF-style capability and can be abused to make requests to internal services, cloud metadata endpoints, or otherwise restricted network locations, while also transmitting fetched content to a third party without validation or user disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal