Back to skill

Security audit

Huo15 Wecom Plugin

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real WeCom integration, but it gives agents broad company-chat, document, calendar, account, and local-file powers that need review before installation.

Install only if you intentionally need a powerful WeCom enterprise connector and can administer it closely. Use least-privilege WeCom apps and secrets, restrict who can message the bot, narrow or disable local media roots, add human approval around delete/share/permission/calendar/account actions, and avoid exposing it to untrusted chats or customer-service users without additional policy controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (44)

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The documented purpose presents the skill as a WeCom messaging/channel plugin, but the analysis indicates additional capabilities such as calendar, document/table operations, MCP/JSON-RPC bridging, and upstream enterprise message sending. Undisclosed privileged actions materially expand the attack surface and can lead users to grant trust or credentials for a narrow purpose while the skill can perform broader data access and remote action workflows.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The document makes contradictory claims about implementation status: it says schedule/respond and schedule/sync are already implemented, then later states client.ts and tool.ts still need full implementation. This can mislead operators or downstream agents into assuming sensitive calendar actions are production-ready when they may be stubbed, incomplete, or missing safeguards, increasing the risk of unsafe deployment and broken security expectations.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The file broadly claims all calendar APIs are fully implemented while later admitting callback handling and full method implementations are still pending. In a skill that can create, modify, delete, and disclose calendar data, inaccurate implementation claims are security-relevant because users may rely on nonexistent validation, error handling, or audit behavior for sensitive operations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The document client exposes meeting VIP advanced-account management endpoints that are unrelated to document handling, expanding the capability surface far beyond what callers would reasonably expect from this module. This kind of scope creep increases the chance that a higher-level agent or permission model grants access to privileged account-administration actions unintentionally.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This client implements broad document, form, spreadsheet, smart-table, sharing, permission, and deletion administration despite the plugin being described primarily as a messaging/WeCom integration. Such over-broad capability packaging is dangerous because an agent granted this skill for messaging could also modify or destroy enterprise documents and permissions, creating a privilege mismatch.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The schema exposes actions to assign and cancel advanced document accounts for arbitrary user ID lists, which are sensitive administrative operations unrelated to the stated bot/messaging use case. If reachable by an LLM agent or insufficiently gated caller, this can enable unauthorized privilege changes, license assignment abuse, and broader access to document capabilities across users.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The tool accepts arbitrary image sources during document creation and will either read a local filesystem path or fetch any remote URL, then upload the resulting bytes into WeCom. This creates a clear arbitrary file read and SSRF/exfiltration primitive: an attacker who can influence tool parameters can read sensitive local files or query internal network resources and smuggle their contents out through the WeCom upload channel.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The share-link validation path performs a direct fetch against any user-supplied URL and parses the returned HTML, rather than limiting requests to known WeCom domains. This is an SSRF surface that can be used to probe internal services, access cloud metadata endpoints, or make the agent issue unintended outbound requests beyond the plugin's stated WeCom scope.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
This test explicitly codifies that webhook callbacks are accepted even when the incoming aibotid does not match the configured value. In a multi-account or multi-bot deployment, that weakens account binding and can allow a validly signed request for one bot context to be routed or processed under another account path, undermining isolation guarantees.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The resolver first checks account-scoped keys, but then falls back to global sessionKey/sessionId and peer mappings when accountId is missing or no scoped match exists. In a multi-account WeCom integration, overlapping session or conversation identifiers can cause one account's source classification to be reused for another account, leading to message routing or authorization decisions being made using the wrong channel context.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The handler logs a preview of the fully decrypted WeCom customer-service callback XML, which can contain customer messages, identifiers, and other sensitive business data. Because this is a transport-layer request handler, logging plaintext payloads increases data exposure to operators, log processors, and anyone with log access, turning routine observability into a confidentiality risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README documents that common local user directories such as Desktop, Documents, Downloads, Movies, and Pictures are allowed by default for media sending. In a plugin that can send files outward to WeCom, broad default read access to user-content directories materially increases the chance of unintended local file disclosure, especially if an agent is prompted to send a local path or if operators assume explicit opt-in is required. The surrounding context makes this more dangerous because the plugin is explicitly designed for bidirectional media handling, proactive messaging, and automated routing, so accidental exfiltration paths are part of normal operation rather than a theoretical edge case.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill exposes an operation that creates events in a user's default calendar and makes them appear as organized by an arbitrary supplied userid, but the documentation does not emphasize authorization, impersonation risk, or consent requirements. In an agentic context, this can enable unauthorized calendar writes and misleading attribution if the caller is allowed to set organizer freely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents destructive delete operations without requiring an explicit confirmation step, preview, or warning about irreversible effects. In an agentic environment, this increases the risk that a model or user issues a deletion action on the wrong document or form, causing unintended data loss.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The automatic initialization behavior deletes default fields and records in newly created smart tables without a prominent warning or opt-in consent. Even if intended to clean templates, silent deletion behavior is dangerous in automation because users may not realize data or structure will be removed automatically.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill exposes permission and sharing operations, including enabling internal or external access, without clear privacy or exposure warnings. In a document-management context this is security-relevant because an agent could unintentionally broaden access to sensitive corporate content, leading to unauthorized disclosure.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The form-answer retrieval interface returns respondent-identifying information and submitted answers, but the documentation does not warn about handling personal or sensitive data. In enterprise and customer-service contexts, this omission can lead agents to retrieve and surface PII more broadly than intended.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The plan explicitly describes obtaining and using a downstream enterprise access token across organizational boundaries, but it does not include any safeguards, consent requirements, token handling restrictions, or tenant-isolation guidance. In a multi-tenant enterprise messaging integration, this creates a real risk of overbroad cross-tenant access, accidental misuse of privileged credentials, and unauthorized data access if the feature is implemented as written.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The changelog documents a security-relevant behavior change: the plugin now allows sending local files from common user directories such as Downloads, Desktop, Documents, Movies, and Pictures by default. Broadening default filesystem access increases the chance of accidental disclosure of sensitive local data, especially in an agent/plugin context where media sending may be triggered by prompts or automation, and the text does not pair this change with a clear warning, consent boundary, or least-privilege guidance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly recommends `dm.policy` set to `open` with `allowFrom` set to `["*"]`, which permits direct-message access from any sender. In a WeCom integration skill, this can expose the bot or agent to unauthorized inbound interaction, abuse, prompt injection, data leakage, and unintended use of enterprise automation if operators follow the example without additional access controls.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation shows secrets such as bot tokens and AES keys being set directly on the command line without any warning about secret handling. This is risky because shell history, process inspection, screen recordings, or copied setup logs can expose credentials that protect the WeCom integration.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code logs detailed inbound and outbound message metadata, including account ID, transport, message ID, peer identifiers, text length, media count, and a truncated outbound summary. In a messaging integration context, these logs can expose sensitive operational and user communication metadata to operators, log backends, or anyone with log access, especially because the outbound summary may include actual message content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
sendAgentDmMedia accepts either an arbitrary URL or local filesystem path, then fetches/reads the content and forwards it to a user via the agent API. If an attacker can influence mediaUrlOrPath, this becomes an SSRF and local file exfiltration primitive that can expose internal services, cloud metadata, or sensitive host files through a legitimate outbound messaging channel.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code reads arbitrary local file contents with fs.readFile(params.mediaUrlOrPath) and then uploads them onward. Without path validation or confinement, an attacker who can steer that parameter may cause disclosure of sensitive files such as credentials, tokens, application configs, or user data from /tmp, /root, /home, or other readable locations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code reads arbitrary local image files from paths extracted out of user-controlled text and then transmits their contents via the bot response channel. That creates a clear local file exfiltration path: if an attacker can induce the agent to process a message containing a sensitive path, the plugin may disclose private files from the host without any approval gate, path allowlist, or user-visible consent step.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.