Back to skill
Skillv1.0.0
VirusTotal security
wxgzh-mcp · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 14, 2026, 8:56 AM
- Hash
- d831916409045fec25fae996bf93f67bd8819c9bf53124814de131acfe197ab4
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wxgzh-mcp Version: 1.0.0 The skill provides legitimate WeChat Official Account management functionality but contains a significant security vulnerability regarding local file access. The `upload_image` and `upload_thumb` tools in `src/tools/media.py` (implemented in `src/wechat_api.py`) accept arbitrary local file paths and upload the contents to WeChat's servers without any path validation or sandboxing. This allows for potential path traversal attacks where an agent could be coerced into exfiltrating sensitive system files (e.g., credentials or configuration files) by uploading them to the WeChat platform.
- External report
- View on VirusTotal