ClawHub

Wechat Publisher Skill

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it handles powerful WeChat publishing credentials too casually and documents unsafe secret practices.

Install only if you are comfortable giving this skill WeChat official-account API credentials and allowing scheduled draft creation. Do not copy the sample secrets, pass real AppSecrets on the command line, show config output in screenshots, or hardcode credentials in scripts; use environment variables or a protected secret store and test on a non-critical account first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (14)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The installation guide includes a full example AppSecret in interactive configuration prompts, normalizing disclosure of a sensitive credential and making it easy for users to paste real secrets into terminals, screenshots, logs, or shared documentation. Even if the shown value is only an example, publishing full-secret examples in setup and output flows encourages unsafe handling of credentials.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document tells users that AppSecret is sensitive, but nearby examples still show a complete secret value. This contradiction teaches poor secret hygiene and increases the chance that operators will treat real AppSecrets as display-safe values in documentation or support interactions.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The guide presents `--test` as a test publish, but the documented result is actual draft creation on WeChat. That mismatch can cause unintended content publication workflows, leaking collected content to a third-party platform or creating operational side effects when users expect a dry run.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The troubleshooting guide explicitly recommends storing a live WeChat AppSecret directly in scripts and JSON config files. This is dangerous because secrets embedded in source files are easily exposed through version control, backups, process inspection, local file access, screenshots, or logs, leading to account takeover or abuse of the associated WeChat API privileges.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The example command passes the AppSecret as a CLI argument, which can leak through shell history, process listings, terminal logging, audit tools, and screenshots. Even if intended as documentation, this creates a realistic credential exposure path for users following the instructions verbatim.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The guide exposes a full AppSecret in configuration examples without a strong adjacent warning not to print or share credentials. This can lead users to copy unsafe patterns into real operations, where secrets may end up in logs, shell history, screenshots, or support tickets.

Missing User Warnings

High
Confidence
99% confidence
Finding
The guide explicitly instructs users to run a configuration display command whose sample output prints the full `app_secret`. This is more dangerous than a static example alone because it operationalizes credential exposure: users may reveal real production secrets on screen, in terminal logs, recordings, or remote support sessions.

Missing User Warnings

High
Confidence
99% confidence
Finding
This section not only suggests hardcoding credentials but does so without any warning about the resulting exposure risk. In a troubleshooting context, users are especially likely to copy the guidance directly, making the unsafe pattern more dangerous because it normalizes insecure secret management as a recommended fix.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide describes unattended publishing to a WeChat public account draft box and writing local result files, but it does not clearly warn users that enabling the skill will modify remote account content and create or update local data on disk. This can lead to users granting access without understanding the side effects, increasing the risk of unintended posts, account misuse, or unexpected persistence of publication artifacts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to configure `app_secret` but does not label it as a sensitive credential or provide handling guidance. Because this secret can authorize access to the official account APIs, poor storage or accidental disclosure could let an attacker publish content, access account functionality, or impersonate the account.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The guide tells users to pass the公众号 AppSecret directly as a command-line argument, which commonly exposes secrets through shell history, process listings, terminal logs, and screenshot sharing. This is a real credential-handling weakness because AppSecret is a long-lived authentication secret for the WeChat public account and can enable unauthorized API access if disclosed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The manual instructs users to store the AppSecret in plaintext in a local JSON config file, normalizing insecure secret storage without documenting risks or protection requirements. If the host is shared, backed up, synced, malware-infected, or the file permissions are lax, the credential can be recovered and used to impersonate the公众号 integration.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill clearly automates publication to a WeChat public account draft box and also exposes scheduling behavior, but the description presents this as a feature without a prominent warning that content may be published automatically on a timed basis. In an agent-driven environment, unclear disclosure can cause unintended account actions, reputational damage, or accidental publication if a user enables the skill without fully understanding its automation scope.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill requests a WeChat `app_secret`, which is a sensitive credential, but the documentation does not warn users to treat it as secret material or explain safe storage and handling requirements. In agent ecosystems, omission of credential-safety guidance increases the chance that users paste secrets into insecure configs, logs, chat transcripts, or shared files, which could enable unauthorized access to the associated public account APIs.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal