Skillv1.0.1

ClawScan security

WeChat Studio · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 8, 2026, 4:28 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches a local WeChat preview workbench, but its runtime instructions and included files reference external services and API keys that are not declared, and a prompt-injection pattern was detected — review the code and secrets usage before running.
Guidance: What to consider before installing/running: - Inspect the shipped server.py and frontend code before running. Look for network calls (requests, urllib, fetch, axios, sockets), any base64 decode/exec behavior, or code that reads system paths or environment variables. - The skill's docs and previews reference MD2WECHAT_API_KEY and an image provider (openai via https://new.suxi.ai). Even though the skill metadata lists no required env vars, the code likely expects API keys — do not supply high‑privilege credentials (AWS, personal OpenAI keys, etc.) without reviewing the code and limiting token scope. - The SKILL.md suggests obtaining an 'SK' from job.suxi.ai and entering it into the UI; that is an external third‑party service. Be cautious about giving any tokens or secrets to third parties and prefer test/least-privilege tokens. - Run the server in an isolated environment (container or VM) and with a non-privileged user. Monitor outbound network connections during initial runs to detect unexpected exfiltration attempts. - Because code is bundled, prefer to read the full server.py for any hardcoded endpoints, logging or telemetry, and check templates for absolute paths or leaked local info (the previews show /Users/Abigale/...). If you are not comfortable auditing the code, avoid running it on sensitive hosts. - If you plan to use external APIs, create separate limited-scope API keys for this tool and revoke them after testing. Confidence notes: I flagged inconsistencies between declared metadata (no env vars) and the runtime files (which reference API keys/third-party endpoints) and a prompt-injection signal was found. I did not perform a full dynamic analysis of server.py; reviewing that file for outbound calls and decoding logic would raise confidence one way or another.
Findings: [base64-block] unexpected: A prompt-injection pattern (base64-block) was detected in SKILL.md content. Prompt-injection artifacts are not expected for a simple local preview workbench and merit manual review of SKILL.md and any embedded strings or encoded payloads before use.

Review Dimensions

Purpose & Capability: concernName/description describe a local workbench. That purpose would not normally require undisclosed external API keys or third‑party service tokens, but the SKILL.md and preview files reference MD2WECHAT_API_KEY, an image provider (openai via https://new.suxi.ai/v1), and an external job.suxi.ai SK — these credentials are not declared in the skill metadata, creating an incoherence.
Instruction Scope: concernRuntime instructions ask you to pip/npm install and run a local server (expected). They also instruct how to provide an external 'SK' from job.suxi.ai and show an API provider block (provider: openai, api base: https://new.suxi.ai/v1) — the skill will likely call out to external services and expects API keys. The SKILL.md does not explicitly constrain what files or env vars the server will access; the included preview HTML already references MD2WECHAT_API_KEY and absolute user paths, suggesting templates or server code may surface local paths.
Install Mechanism: noteNo automated install spec is declared (instruction-only install commands are in SKILL.md). Code files are bundled with the skill (server.py, frontend JS/Python), so running the server will execute shipped code. No remote download/install of third‑party binaries was specified, which reduces supply-chain risk, but running bundled server code still executes non-reviewed code locally.
Credentials: concernSkill metadata declares no required environment variables or credentials, but the SKILL.md and template previews reference MD2WECHAT_API_KEY and an image-generation provider (openai api base at new.suxi.ai). That mismatch is disproportionate and unexpected — the skill may require secrets to operate despite none being declared.
Persistence & Privilege: notealways:false (no force inclusion) and normal model invocation settings. The skill does not request elevated platform privileges in metadata. However, it runs a local server process from bundled code which will run with the invoking user's local privileges — treat this as standard but significant local execution risk.