Trust Assessment
wechat-publisher received a trust score of 16/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 2 critical, 0 high, 4 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Persistence mechanism: Shell RC file modification, Sensitive environment variable access: $HOME.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/0731coderlee-sudo/wechat-publisher/SKILL.md:279 | |
| CRITICAL | Command Injection via User-Controlled Markdown File Path The `scripts/publish.sh` script takes a Markdown file path as its first argument (`$1`). This argument is then used in the `wenyan publish -f "$file" ...` command. Although the variable `$file` is double-quoted, shell command substitution (e.g., `$(command)`) will be executed by the shell *before* the `wenyan` command is invoked. An attacker can inject arbitrary shell commands by providing a crafted Markdown file path containing `$(malicious_command)`. Since the `SKILL.md` explicitly states that the LLM will provide the Markdown file path based on user input, this creates a direct and critical command injection vulnerability. Implement robust input validation for all user-provided arguments (`file`, `theme`, `highlight`) to prevent shell metacharacters and command substitutions. For file paths, ensure they are valid, existing file paths and do not contain characters that could lead to shell injection (e.g., `$`, `(`, `)`, `;`, `|`, `&`, `\`). Consider using `readlink -f` to resolve and sanitize paths, and if possible, pass arguments to `wenyan` in a way that bypasses shell interpretation (e.g., using `exec` with an array, though this might require restructuring). | LLM | scripts/publish.sh:89 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/0731coderlee-sudo/wechat-publisher/SKILL.md:279 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/0731coderlee-sudo/wechat-publisher/scripts/publish.sh:16 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/0731coderlee-sudo/wechat-publisher/scripts/setup.sh:5 | |
| MEDIUM | Automatic Global Package Installation (Excessive Permissions / Supply Chain Risk) The `scripts/publish.sh` script automatically attempts to install `@wenyan-md/cli` globally using `npm install -g` if it's not found. While the package name is hardcoded, allowing a skill to perform global package installations grants it significant permissions. This introduces a supply chain risk: if the `npm` registry is compromised, or if the `@wenyan-md/cli` package itself becomes malicious in a future update, the skill could inadvertently install and execute harmful code on the host system. This also represents an excessive permission for a skill that primarily publishes content. Avoid automatic global package installations within skill scripts. Instead, instruct the user to manually install prerequisites or use a sandboxed environment (e.g., a virtual environment for Python, or a container for Node.js dependencies) where dependencies are isolated and managed more securely. If global installation is absolutely necessary, consider adding a user prompt for confirmation before execution. | LLM | scripts/publish.sh:20 |
Scan History
Embed Code
[](https://skillshield.io/report/50af7a345d0187e5)
Powered by SkillShield