One‑Line Skill that Instantly Analyzes WeChat Mini‑Programs

The author introduces a Skill designed to streamline the analysis of WeChat mini‑programs, especially those used in the financial sector where network packets are often encrypted. Traditional debugging or decompilation is cumbersome, so the Skill combines scripted extraction with large language model (LLM) analysis to cover four core functions: interface extraction, sensitive information extraction, vulnerability analysis, and encryption/decryption analysis.

The design began with a pure‑LLM approach, but tests showed that weak models produced inaccurate reports. Consequently, the final architecture uses scripts to gather raw data (interfaces and sensitive fields) and then feeds the results to an LLM for contextual analysis, while keeping vulnerability and encryption analysis fully LLM‑driven.

Usage is illustrated through a case study. The author recommends pairing the Skill with packet‑capture tools such as Burp or Yakit, because some mini‑programs generate dynamic keys via server requests. A sample prompt is provided (wrapped in wxmini-security-audit) that tells the Skill which mini‑program directory to analyze and which API endpoint’s request/response packets to focus on.

The workflow proceeds as follows:

Parse the user’s request.

If the input is an undecompiled package, the Skill decompiles it; otherwise it skips this step.

Run a script to extract APIs and sensitive data from the decompiled code.

Launch four specialized agents, each responsible for one of the core tasks (interface extraction, sensitive data extraction, vulnerability scanning, encryption analysis).

After the agents finish, the Skill outputs corresponding documentation.

If custom analysis is requested, the Skill invokes Burp MCP to capture live packets, allowing the LLM to determine encryption algorithms, keys, and IVs.

In the demonstrated example, the AI successfully identified the encrypted request and response packets, extracted the encrypted key and IV, decrypted them locally, and verified that the decrypted data matched the original payload.

Automation of encryption and decryption is then shown, with a one‑sentence command that lets the AI perform the entire process. The author notes that the environment used includes Claude code and the GLM‑5 model, and that other models performed poorly.

The complete pipeline runs in roughly twenty to thirty minutes, a significant time saving compared with manual decompilation and analysis.

Additionally, the author presents a small auxiliary mini‑program that, given an AppID, automatically parses the app.json file, generates navigation buttons, and aids in testing unauthorized access scenarios. Screenshots illustrate the UI and generated buttons.

The Skill’s source code is hosted on GitHub at https://github.com/sssmmmwww/wxmini-security-audit. Readers are invited to star the repository if they find it useful.