Wxmini Security Audit

Name: Wxmini Security Audit
Author: aradotso

aradotso/security-skills

Run a static security audit on a WeChat mini-program or wxapkg directory with seven coordinated analysis agents before release or after decompilation.

Install

npx skills add https://github.com/aradotso/security-skills --skill wxmini-security-audit

What is this skill?

Orchestrates 7 specialized agents (decompiler, secret scanner, endpoint miner, crypto analyzer, vulnerability analyzer,
Dual-layer coverage: Python regex scripts for full rule pass plus LLM agents for contextual findings
Parallel Phase 2 runs four analysis agents at once to shorten audit time
Parses natural-language audit intent from triggers like wxapkg scan and decompile-and-audit
Seven security dimensions across static analysis of WeChat mini-program bundles

Adoption & trust: 378 installs on skills.sh; 1 GitHub stars; 0/3 security scanners passed (skills.sh audits).

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Security review and vulnerability scanning belong on the Ship shelf where you harden the product before users touch it. Mini-program audits map directly to the security subphase: sensitive-data leaks, API exposure, crypto misuse, and rule-based static checks.

Common Questions / FAQ

Is Wxmini Security Audit safe to install?

skills.sh reports 0 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.

SKILL.md

READMESKILL.md - Wxmini Security Audit

# wxmini-security-audit

> Skill by [ara.so](https://ara.so) — Security Skills collection.

Automated security auditing framework for WeChat mini-programs using Claude Code Agent Teams. Orchestrates 7 specialized agents to perform comprehensive static analysis covering sensitive information leakage, API endpoint extraction, cryptographic analysis, and vulnerability detection across seven security dimensions.

## What It Does

- **Multi-Agent Orchestration**: Coordinates 7 specialized agents (decompiler, secret scanner, endpoint miner, crypto analyzer, vulnerability analyzer, custom analyzer, reporter)
- **Dual-Layer Architecture**: Python regex scripts ensure 100% rule coverage, LLM agents provide intelligent analysis with context awareness
- **Parallel Phase 2 Execution**: Runs 4 analysis agents simultaneously to minimize audit time
- **User Intent Parsing**: Automatically triggers deep custom analysis when specific endpoints/parameters are mentioned
- **Pure Static Analysis**: Zero network requests, no attack code generation, fully local processing
- **Comprehensive Reporting**: Generates both summary reports and detailed documentation with structured data exports

## Architecture

The framework operates in sequential phases:

1. **Phase 0**: User intent parsing (extracts target path, creates output directory, parses requirements)
2. **Phase 1**: Decompilation (unveilr.exe processes wxapkg files, generates file inventory)
3. **Phase 1.5**: Script pre-scanning (Python regex extracts raw endpoints and secrets)
4. **Phase 2**: Parallel analysis (4 agents run simultaneously: SecretScanner, EndpointMiner, CryptoAnalyzer, VulnAnalyzer)
5. **Phase 2.5**: Custom analysis (triggered only when user specifies particular endpoints/parameters)
6. **Phase 3**: Report generation (aggregates findings into structured reports)

## Installation

### Prerequisites

- Claude Code CLI environment with Agent Teams/Skill support
- Python 3.x (standard library only, no external dependencies)
- Windows platform (current version requires unveilr.exe)
- unveilr.exe binary (WeChat mini-program decompiler)

### Setup

Clone the repository into your Claude Code Skills directory:

```bash
git clone https://github.com/sssmmmwww/wxmini-security-audit.git
cd wxmini-security-audit
```

Obtain `unveilr.exe` from the [unveilr project](https://github.com/nicholaschan23/unveilr) and place it in the `tools/` directory:

```
wxmini-security-audit/
├── SKILL.md
├── agents/
│   ├── agent-01-decompiler.md
│   ├── agent-02-secret-scanner.md
│   ├── agent-03-endpoint-miner.md
│   ├── agent-04-crypto-analyzer.md
│   ├── agent-05-vuln-analyzer.md
│   ├── agent-06-reporter.md
│   └── agent-07-custom-analyzer.md
└── tools/
    ├── unveilr.exe          # Place here
    └── scripts/
        ├── endpoint_extractor.py
        └── secret_scanner.py
```

## Usage

### Basic Audit

Trigger the audit by providing a mini-program directory path:

```
Audit this WeChat mini program D:\wechat\miniapp\wxapkg_files
```

```
Analyze this mini program for security issues C:\miniprogram\target
```

### Focused Analysis

Specify particular concerns to trigger Phase 2.5 custom analysis:

```
Audit this mini program D:\wxapp, focus on the /api/user/login endpoint
```

```
Scan D:\wxapp for vulnerabilities, particularly payment security and privilege escalation
```

### With External Tool Integration

Provide conte

What is this skill?

Orchestrates 7 specialized agents (decompiler, secret scanner, endpoint miner, crypto analyzer, vulnerability analyzer,

Dual-layer coverage: Python regex scripts for full rule pass plus LLM agents for contextual findings

Parallel Phase 2 runs four analysis agents at once to shorten audit time

Parses natural-language audit intent from triggers like wxapkg scan and decompile-and-audit

Seven security dimensions across static analysis of WeChat mini-program bundles

Adoption & trust: 378 installs on skills.sh; 1 GitHub stars; 0/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

SKILL.md

READMESKILL.md - Wxmini Security Audit

# wxmini-security-audit

> Skill by [ara.so](https://ara.so) — Security Skills collection.

Automated security auditing framework for WeChat mini-programs using Claude Code Agent Teams. Orchestrates 7 specialized agents to perform comprehensive static analysis covering sensitive information leakage, API endpoint extraction, cryptographic analysis, and vulnerability detection across seven security dimensions.

## What It Does

- **Multi-Agent Orchestration**: Coordinates 7 specialized agents (decompiler, secret scanner, endpoint miner, crypto analyzer, vulnerability analyzer, custom analyzer, reporter)
- **Dual-Layer Architecture**: Python regex scripts ensure 100% rule coverage, LLM agents provide intelligent analysis with context awareness
- **Parallel Phase 2 Execution**: Runs 4 analysis agents simultaneously to minimize audit time
- **User Intent Parsing**: Automatically triggers deep custom analysis when specific endpoints/parameters are mentioned
- **Pure Static Analysis**: Zero network requests, no attack code generation, fully local processing
- **Comprehensive Reporting**: Generates both summary reports and detailed documentation with structured data exports

## Architecture

The framework operates in sequential phases:

1. **Phase 0**: User intent parsing (extracts target path, creates output directory, parses requirements)
2. **Phase 1**: Decompilation (unveilr.exe processes wxapkg files, generates file inventory)
3. **Phase 1.5**: Script pre-scanning (Python regex extracts raw endpoints and secrets)
4. **Phase 2**: Parallel analysis (4 agents run simultaneously: SecretScanner, EndpointMiner, CryptoAnalyzer, VulnAnalyzer)
5. **Phase 2.5**: Custom analysis (triggered only when user specifies particular endpoints/parameters)
6. **Phase 3**: Report generation (aggregates findings into structured reports)

## Installation

### Prerequisites

- Claude Code CLI environment with Agent Teams/Skill support
- Python 3.x (standard library only, no external dependencies)
- Windows platform (current version requires unveilr.exe)
- unveilr.exe binary (WeChat mini-program decompiler)

### Setup

Clone the repository into your Claude Code Skills directory:

```bash
git clone https://github.com/sssmmmwww/wxmini-security-audit.git
cd wxmini-security-audit
```

Obtain `unveilr.exe` from the [unveilr project](https://github.com/nicholaschan23/unveilr) and place it in the `tools/` directory:

```
wxmini-security-audit/
├── SKILL.md
├── agents/
│   ├── agent-01-decompiler.md
│   ├── agent-02-secret-scanner.md
│   ├── agent-03-endpoint-miner.md
│   ├── agent-04-crypto-analyzer.md
│   ├── agent-05-vuln-analyzer.md
│   ├── agent-06-reporter.md
│   └── agent-07-custom-analyzer.md
└── tools/
    ├── unveilr.exe          # Place here
    └── scripts/
        ├── endpoint_extractor.py
        └── secret_scanner.py
```

## Usage

### Basic Audit

Trigger the audit by providing a mini-program directory path:

```
Audit this WeChat mini program D:\wechat\miniapp\wxapkg_files
```

```
Analyze this mini program for security issues C:\miniprogram\target
```

### Focused Analysis

Specify particular concerns to trigger Phase 2.5 custom analysis:

```
Audit this mini program D:\wxapp, focus on the /api/user/login endpoint
```

```
Scan D:\wxapp for vulnerabilities, particularly payment security and privilege escalation
```

### With External Tool Integration

Provide conte

Install

What is this skill?

Recommended Skills

Journey fit

Is Wxmini Security Audit safe to install?

SKILL.md

This week for builders

Install

What is this skill?

Recommended Skills

Journey fit

Is Wxmini Security Audit safe to install?

SKILL.md