Security audit

WeChat Moments Post

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it can automatically publish to a live WeChat Moments account without a final confirmation step.

Install only if you intentionally want automation that can publish directly to your WeChat Moments feed. Before running it, verify the account, image path, caption, and audience, keep sensitive windows closed, and prefer adding a manual confirmation before any Publish click. Review WECHAT_EXE carefully so it points to the real WeChat executable, and delete the temporary screenshot directory after use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Tainted flow: 'WECHAT_EXE' from os.environ.get (line 27, credential/environment) → subprocess.Popen (code execution)

Medium

Category: Data Flow
Content: # launch fresh subprocess.Popen([WECHAT_EXE]) print("LAUNCHED", WECHAT_EXE) time.sleep(3)
Confidence: 95% confidence
Finding: subprocess.Popen([WECHAT_EXE])

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill explicitly relies on environment variables and invokes local scripts, which implies shell/env capabilities, but it does not declare any permissions or capability boundaries. In an automation skill that can post to a live social feed, missing permission disclosure reduces transparency and can enable unsafe execution without adequate user awareness or policy gating.

Vague Triggers

Medium

Confidence: 75% confidence
Finding: The invocation text is broad and maps to common user phrasing such as publishing or re-posting to Moments, which increases the chance of over-triggering in situations where the user did not intend full UI automation. Because the workflow culminates in posting to a public or semi-public social feed, accidental activation could cause unintended content publication.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill description does not clearly warn that it automates posting to a live social feed using desktop UI actions. This omission is particularly risky because the scripts can open WeChat, select an image, paste text, and click publish, creating a direct path to unintended public disclosure, reputational harm, or leaking sensitive content.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This script automatically clicks the OCR-detected "发表" button, which can immediately publish content to WeChat Moments without any final user confirmation, review, or safety interlock. In the context of a posting automation skill, that creates a real risk of unintended publication, mis-targeted clicks from OCR/UI ambiguity, or abuse by a higher-level agent that triggers public posting without explicit last-step consent.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The script automatically clicks the WeChat “发表” publish control after OCR detection, with no user confirmation, dry-run mode, or final review gate. Because posting to Moments is an external, user-visible, and effectively irreversible action, mis-targeting, stale window focus, OCR error, or bad input can cause unintended public disclosure immediately.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code clears and replaces the system clipboard with the caption text without warning the user or restoring prior clipboard contents. This can destroy user data currently in the clipboard and may expose sensitive caption text to other applications that monitor clipboard access.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script captures the entire screen and writes the screenshot to disk for OCR, which can unintentionally collect sensitive data from unrelated windows, notifications, or documents. In this skill context, GUI automation makes some screen inspection expected, but full-screen persistent capture without explicit notice, minimization, or cleanup increases privacy and data-exposure risk.

VirusTotal

46/46 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.