Back to skill

Security audit

WeChat MP Publisher

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent for WeChat publishing, but it can automatically publish irreversible posts using stored account credentials without a built-in confirmation step.

Review before installing. Use it only if you intentionally want an agent or scheduled automation to manage a WeChat Official Account. Store the AppID/AppSecret carefully, restrict .env file permissions, avoid logging commands or tokens, and add your own confirmation, dry-run, or allowlist before any scheduled publish. Treat every publish action as an immediate broadcast to all subscribers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill documents use of file read/write, shell commands, and network access, but does not declare permissions or boundaries for those capabilities. That creates a transparency and policy-enforcement gap: an agent may invoke powerful operations such as reading env files, calling external APIs, or running shell commands without the user or platform having an explicit permission model to review or constrain them.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger list includes broad phrases such as 'publish to WeChat', 'auto-publish', and '公众号发布', which can match ordinary user requests without enough context or confirmation. Over-broad activation can cause the skill to be selected in situations involving real outbound publishing, increasing the risk of unintended content posting to subscribers or misuse of stored credentials.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script performs an irreversible publish-to-all-subscribers action immediately once invoked, without any interactive confirmation, dry-run mode, or allowlist check. In automation or agent-driven contexts, this increases the risk of accidental mass publication, misuse of the wrong media_id, or unintended content release.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script exposes a one-call function that publishes a draft to all subscribers without any guardrail such as an interactive confirmation, dry-run mode, environment gate, or explicit warning at call time. In the context of an automation skill for scheduled publishing, this increases the chance of accidental mass publication from bad inputs, misuse by downstream agents, or unintended triggering.

External Transmission

Medium
Category
Data Exfiltration
Content
result = subprocess.run(
        [
            "curl", "-s",
            f"https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid={appid}&secret={secret}",
        ],
        capture_output=True,
        text=True,
Confidence
90% confidence
Finding
https://api.weixin.qq.com/

Unvalidated Output Injection

High
Category
Output Handling
Content
def get_access_token(appid, secret):
    """Get WeChat access_token. Handle IP whitelist error (40164)."""
    result = subprocess.run(
        [
            "curl", "-s",
            f"https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid={appid}&secret={secret}",
Confidence
87% confidence
Finding
subprocess.run( [ "curl", "-s", f"https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid={appid}&secret={secret}", ], capture_output

Credential Access

High
Category
Privilege Escalation
Content
export WECHAT_APPID="wx_your_appid"
export WECHAT_SECRET="your_secret"

# Get access token
TOKEN=$(get_wechat_token)

# Upload cover image (returns media_id)
Confidence
93% confidence
Finding
access token

Credential Access

High
Category
Privilege Escalation
Content
- If the file exists: read the `media_id` field.

### Step 3: Load credentials
Read the .env file at {ENV_FILE_PATH} for WECHAT_APPID and WECHAT_SECRET.

### Step 4: Publish the draft
1. Get access_token:
Confidence
78% confidence
Finding
.env

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/api-guide.md:14