ClawHub

wxgzh-mcp

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims, but it gives agents direct WeChat account credentials and one-step delete/publish powers that users should review carefully.

Install only if you trust the agents and clients that can call this MCP server. Treat the WeChat AppSecret and returned access token like passwords, keep config.json out of source control, restrict server access to trusted local users, and require human confirmation before deleting or publishing drafts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation describes capabilities that imply environment access, file reads, and network communication, but it does not declare permissions or clearly bound those capabilities. This creates a transparency and consent problem: users or orchestrators may invoke a skill with broader access than expected, increasing the chance of secret exposure or unintended external actions.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill manifest is scoped to draft creation and management, but this tool exposes a raw credential retrieval primitive that is broader and more dangerous than the advertised functionality. Returning an access token directly enables any caller with tool access to reuse the credential outside intended workflows and invoke arbitrary WeChat API operations, creating a privilege-expansion path.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises deletion and publication capabilities but does not clearly warn that these actions are destructive or externally visible. In an agent or MCP context, this increases the chance of accidental draft deletion or unintended public posting when invoked through natural language, especially by users who may assume all operations are safe or reversible.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to place the AppSecret directly in config.json without any warning about secret handling, storage, or exclusion from source control. This can lead to credential leakage through commits, logs, backups, or shared project files, which would allow unauthorized access to the WeChat public account APIs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises draft deletion and publication functions without warning that these actions are destructive or externally visible and may be irreversible in practice. In a content-management context, silent deletion or accidental publication can cause data loss, reputational harm, or unintended public disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The delete_draft tool performs an irreversible destructive action using only a media_id and provides no confirmation step, dry-run option, or friction to prevent accidental invocation. In an agentic context, where tools may be called from ambiguous user prompts or model mistakes, this increases the risk of unintended content deletion and operational disruption.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The function returns the live access token in its response payload with no masking, warning, or containment. Because this token is a bearer credential for downstream API access, exposing it directly allows exfiltration through logs, client displays, transcripts, or chaining into unauthorized API calls beyond the skill's intended purpose.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal