Back to skill

Security audit

WeChat MP Publish Toolkit

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed WeChat publishing toolkit, but it can use account secrets to automatically publish or delete official-account content without built-in confirmation controls.

Install only if you are comfortable giving the agent WeChat Official Account publishing authority. Keep the credential file locked down, prefer manual approval before recurring auto-publish runs, verify every media_id before publishing, and avoid using the delete helper unless you have confirmed the target draft.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs use of local files, shell commands, and outbound network/API operations, but it does not declare any permissions or capability boundaries. This is dangerous because users and platforms cannot accurately assess or constrain what the skill can access, increasing the chance of unintended file access, secret exposure, or uncontrolled external calls during execution.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The template instructs an automation to execute shell commands (`date`, `curl`, and potentially a Python script) rather than confining actions to a narrowly scoped publishing interface. In an automation context, command execution increases attack surface because later prompt or placeholder manipulation can turn a content-publishing workflow into local command execution and data access beyond the stated business need.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The template tells the automation to read local files from user-supplied paths, including a daily status JSON and a credential `.env` file. Allowing arbitrary path substitution can expose unrelated local files or secrets if the placeholders are misconfigured, maliciously edited, or influenced by untrusted input.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
publish_draft sends a freepublish request directly to all subscribers with no built-in confirmation, dry-run mode, or guardrail. In an agentic context, a mistaken invocation, prompt confusion, or unsafe automation could trigger an unintended mass publication that is difficult to retract and can cause reputational or operational harm.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
delete_draft performs a destructive API action without any confirmation, soft-delete behavior, or validation beyond accepting a media_id. In automation or agent use, a wrong identifier or accidental call can irreversibly remove content from the draft box and disrupt publication workflows.

External Transmission

Medium
Category
Data Exfiltration
Content
### Step 4: Publish the draft
1. Get access_token:
   curl -s "https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=APPID&secret=SECRET"
2. If errcode=40164 (IP whitelist): get server IP with `curl -s https://api.ipify.org` and notify the user to add it to the whitelist.
3. Call publish API:
   curl -X POST "https://api.weixin.qq.com/cgi-bin/freepublish/submit?access_token=TOKEN" \
Confidence
84% confidence
Finding
curl -s "https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=APPID&secret=SECRET" 2. If errcode=40164 (IP whitelist): get server IP with `curl -s https://api.ipify.org` and noti

External Transmission

Medium
Category
Data Exfiltration
Content
### Step 4: Publish the draft
1. Get access_token:
   curl -s "https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=APPID&secret=SECRET"
2. If errcode=40164 (IP whitelist): get server IP with `curl -s https://api.ipify.org` and notify the user to add it to the whitelist.
3. Call publish API:
   curl -X POST "https://api.weixin.qq.com/cgi-bin/freepublish/submit?access_token=TOKEN" \
Confidence
84% confidence
Finding
https://api.weixin.qq.com/

External Transmission

Medium
Category
Data Exfiltration
Content
result = subprocess.run(
        [
            "curl", "-s", "-X", "POST",
            f"https://api.weixin.qq.com/cgi-bin/draft/add?access_token={token}",
            "-H", "Content-Type: application/json",
            "--data-binary", f"@{json_path}",
        ],
Confidence
83% confidence
Finding
https://api.weixin.qq.com/

External Transmission

Medium
Category
Data Exfiltration
Content
require_env WECHAT_SECRET || return 1

    local response
    response=$(curl -s "https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=${WECHAT_APPID}&secret=${WECHAT_SECRET}")

    local errcode
    errcode=$(echo "$response" | jq -r '.errcode // 0')
Confidence
86% confidence
Finding
https://api.weixin.qq.com/

Unvalidated Output Injection

High
Category
Output Handling
Content
def get_access_token(appid, secret):
    """Get WeChat access_token. Handle IP whitelist error (40164)."""
    result = subprocess.run(
        [
            "curl", "-s",
            f"https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid={appid}&secret={secret}",
Confidence
79% confidence
Finding
subprocess.run( [ "curl", "-s", f"https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid={appid}&secret={secret}", ], capture_output

Credential Access

High
Category
Privilege Escalation
Content
export WECHAT_APPID="wx_your_appid"
export WECHAT_SECRET="your_secret"

# Get access token
TOKEN=$(get_wechat_token)

# Upload cover image (returns media_id)
Confidence
88% confidence
Finding
access token

Credential Access

High
Category
Privilege Escalation
Content
- If the file exists: read the `media_id` field.

### Step 3: Load credentials
Read the .env file at {ENV_FILE_PATH} for WECHAT_APPID and WECHAT_SECRET.

### Step 4: Publish the draft
1. Get access_token:
Confidence
96% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
| Placeholder | Description | Example |
|-------------|-------------|---------|
| `{DRAFT_STATUS_PATH}` | Directory where daily draft JSON files are stored | `/Users/friend/articles/drafts` |
| `{ENV_FILE_PATH}` | Path to the .env credential file | `/Users/friend/.wechat-mp.env` |

---
Confidence
87% confidence
Finding
.env

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/api-guide.md:14