Trust Assessment
wechat received a trust score of 66/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 2 medium, and 0 low severity. Key findings include Potential Data Exfiltration via LLM Output, Potential Command Injection via Search Keyword, Skill Requires Access to Highly Sensitive Directories.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Data Exfiltration via LLM Output The skill's primary function is to read sensitive local WeChat data (contacts, chat history, favorites, etc.). While the skill documentation explicitly states 'read-only' and 'no upload', the LLM agent, if instructed, can output this sensitive data in its responses, effectively exfiltrating it from the local environment through the LLM's communication channel. This is an inherent risk for any skill designed to access local sensitive user data. Implement strict output filtering and user consent mechanisms for sensitive data. Ensure the LLM is explicitly instructed *not* to output raw sensitive data unless absolutely necessary and confirmed by the user. Consider redacting or summarizing sensitive fields by default. | LLM | SKILL.md:120 | |
| HIGH | Potential Command Injection via Search Keyword The skill demonstrates usage of `python3 scripts/wechat.py search "关键词"`. If the '关键词' (keyword) is derived directly from untrusted user input and the `wechat.py` script does not properly sanitize or escape this input before passing it to a shell command or a database query, it could lead to arbitrary command execution or SQL injection. The `wechat.py` script itself is not provided for analysis, but the pattern of passing user-controlled strings to a command-line tool is a common injection vector. Ensure that `scripts/wechat.py` rigorously sanitizes all user-provided arguments, especially the search keyword, before using them in shell commands or database queries. Prefer using `subprocess.run` with `shell=False` and passing arguments as a list. For database queries, use parameterized queries. | LLM | SKILL.md:68 | |
| MEDIUM | Skill Requires Access to Highly Sensitive Directories The skill explicitly states it requires access to the user's WeChat data directory (`~/Library/Containers/com.tencent.xinWeChat/` on macOS, or custom paths on Windows), which contains highly personal and sensitive information. Furthermore, the documentation suggests granting '完全磁盘访问权限' (Full Disk Access) to the terminal, which is an extremely broad permission that could be abused if the skill or the underlying `wechat.py` script has vulnerabilities. While the skill claims 'read-only', the scope of access is still excessive for a general-purpose agent skill. Clearly articulate the security implications of granting such broad access to users. Explore if more granular permissions can be requested instead of 'Full Disk Access'. Ensure the `wechat.py` script strictly adheres to read-only operations and has no other side effects. | LLM | SKILL.md:20 | |
| MEDIUM | Untrusted External Dependency (OpenClawCLI) The skill requires the installation of 'OpenClawCLI' from an external URL (`https://openclawcli.vercel.app/`). The integrity and security of this external tool are unknown. A compromise of the `openclawcli.vercel.app` domain or the OpenClawCLI project itself could lead to the installation of malicious software on the user's system, which could then be leveraged by this skill or other processes. Additionally, the `scripts/wechat.py` script's origin and trustworthiness are not established within this context. Provide clear instructions on how to verify the authenticity and integrity of `OpenClawCLI` (e.g., checksums, signed binaries). If possible, bundle necessary components or specify exact versions to mitigate future changes. Document the source and security practices of `scripts/wechat.py`. | LLM | SKILL.md:5 |
Scan History
Embed Code
[](https://skillshield.io/report/37d7d98e46e5410c)
Powered by SkillShield