Trust Assessment
wechat received a trust score of 82/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Skill outputs sensitive local user data to LLM context, Skill requires broad 'Full Disk Access' permission.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 5acc5677). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Skill outputs sensitive local user data to LLM context The skill's primary function is to read highly sensitive personal data (WeChat contacts, chat history, session details, favorites) from local SQLite databases and output it to standard output. While the skill explicitly states it's read-only and does not upload data externally, any data printed to `stdout` will be captured by the host LLM, effectively exfiltrating this private information into the LLM's context. This poses a significant privacy risk if the LLM's context is not adequately secured or if the user is not fully aware of the implications of sharing this data with the AI. Ensure users are explicitly warned about the sensitive nature of the data being processed and that it will be exposed to the LLM's context. Implement mechanisms to redact or summarize highly sensitive information before it is returned to the LLM, or provide an option for users to control the level of detail shared. Consider client-side processing or a more secure data handling pipeline if full privacy is paramount. | LLM | scripts/wechat.py:198 | |
| MEDIUM | Skill requires broad 'Full Disk Access' permission The `SKILL.md` documentation explicitly states that the user may need to grant '完全磁盘访问权限' (Full Disk Access) to the terminal for the script to function on macOS. While the Python script itself attempts to access only specific WeChat data directories and uses SQLite in read-only mode, requiring 'Full Disk Access' grants the execution environment (and potentially any other script run within that terminal) overly broad permissions to access *any* file on the user's system. This creates a significant attack surface if the skill or its environment were compromised, or if the user is tricked into running other malicious commands. Explore alternative methods that do not require 'Full Disk Access' if possible, such as using sandboxed environments or more granular permissions. If 'Full Disk Access' is strictly necessary, clearly communicate the security implications to the user and emphasize that this permission should be granted with extreme caution and only to trusted applications/environments. Consider adding a runtime check to verify that only the intended WeChat directories are accessed. | LLM | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/01e0fc45ff747887)
Powered by SkillShield