wechat-multi

The fragment describes a macOS tool to run multiple WeChat copies with elevated privileges. While not inherently malicious in function based on the README, the combination of NOPASSWD sudo usage and dependency on an external npm package introduces notable supply-chain and privilege-risk vectors. If the package is compromised or misbehaving, it could execute privileged actions without prompting. There is no explicit malware behavior evident in the text, but the security posture is fragile due to privileged automation and external dependencies. Recommend: (1) review the actual wechat-multi.sh script and any helper scripts for dangerous operations, (2) avoid or tightly constrain NOPASSWD privileges, (3) verify package integrity (SHA256/lockfiles) and consider vendoring or signing the script, (4) test in an isolated environment, and (5) implement user prompts for privileged actions or require explicit authorization before destructive operations.

SUSPICIOUS: The skill’s purpose and local app-manipulation behavior are broadly aligned, and no credential exfiltration or third-party network routing is shown. However, it requires persistent passwordless sudo for an unverifiable local script, making the privilege scope and execution trust disproportionate to a convenience tool.