Security audit

Zhy Wechat Publish

Security checks across malware telemetry and agentic risk

Overview

This skill does its stated WeChat draft-publishing job, but it reads and can modify .env files outside its own directory, so users should review it before installing.

Install only if you are comfortable granting it WeChat draft and media-upload access. Use a dedicated skill-local .env with only the required WeChat and image-generation keys, avoid running it from repositories that contain unrelated secrets, avoid --write-env unless you have verified which .env it will edit, and review the separate zhy-article-illustrator helper before using automatic cover generation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script searches for and loads .env files not only from the skill directory but also from the current working directory and a parent project root. In an agent-skill context, this broad credential discovery can unintentionally pull unrelated secrets from the host project and use them during execution, violating least-privilege and increasing the blast radius if the skill is run in a sensitive repository.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: When invoked with --write-env, the script modifies the first discovered .env file among several candidate paths, including the current working directory and a parent project root. In a shared repository or agent environment, this creates an unsafe configuration write primitive that can alter unrelated application settings or persist state outside the skill's boundary.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs users to place WeChat AppID and AppSecret in a local `.env` file but does not clearly warn that this stores sensitive credentials on disk, where they may be exposed through backups, misconfigured permissions, accidental commits, or local compromise. While common in development workflows, omitting explicit secret-handling guidance increases the chance of credential leakage.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The workflow states that the skill uploads article bodies and images to WeChat APIs, but it does not prominently warn users that potentially sensitive content leaves the local environment and is transmitted to a third-party platform. In a publishing skill this behavior is expected, but the lack of explicit disclosure can lead to unintentional exfiltration of unpublished, private, or regulated content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: scripts/publish_with_cover.js:132