ClawHub

WeChat Studio

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real WeChat article workbench, but it needs review because it can expose local workspace files and send draft/article data to external services with limited in-tool warnings.

Review before installing. Use only in a trusted local workspace, avoid importing sensitive unpublished drafts unless you are comfortable sending derived prompts/media to configured providers, do not paste or share SK/API tokens casually, avoid untrusted reference URLs, and verify the target WeChat account and article details before pressing draft push. Treat generated HTML/JSON as potentially containing signed remote image links.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script = FRONTEND_DIR / "extract_live_reference.js"
    if not script.exists():
        raise FileNotFoundError(f"Live extractor not found: {script}")
    result = subprocess.run(
        ["node", str(script), reference_url, str(REFERENCE_SHOTS_DIR)],
        check=True,
        capture_output=True,
Confidence
90% confidence
Finding
result = subprocess.run( ["node", str(script), reference_url, str(REFERENCE_SHOTS_DIR)], check=True, capture_output=True, text=True, cwd=str(FRONTEND_DIR),

Context-Inappropriate Capability

Low
Confidence
96% confidence
Finding
The preview embeds an absolute local filesystem path (/Users/Abigale/...) into HTML that may be viewed, shared, screenshotted, or published beyond the local workstation. This leaks host-specific directory structure, username, and project layout information that can aid profiling, targeted phishing, or follow-on attacks, even if it does not by itself grant access.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file presents metadata and opening content for one article topic, then shifts into a different templated argument about AI创业内容系统. In this skill context, that mismatch can poison publishing workflows, cause unintended or misleading output to be previewed or pushed as if it were a vetted rewrite, and undermine trust in generated content.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The upload help text states that importing Markdown will automatically create an article record and try to generate cover and inline images. In this skill's stated scope, image generation is optional and preview/manual-QA oriented, so this copy normalizes extra processing of user content without explicit consent. That can mislead users into triggering external model calls or additional data handling they did not intend.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The workflow sidebar advertises automatic cover generation and automatic body-image generation as default steps. This expands user expectations beyond the manifest's browser preview and manual QA role, and may encourage unreviewed transmission of article content to image services. The issue is primarily deceptive and consent-related rather than a direct code-execution flaw.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The branding copy says uploading Markdown directly completes packaging and draft push, while the rest of the UI shows separate manual confirmation and push controls. This contradiction can mislead users about what actions occur automatically, especially where publishing-related side effects are involved. Misrepresentation of automation around publishing is a security-relevant trust and consent problem.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
`/api/assets` serves any existing file resolved under `ROOT`, not just article assets. That means any local process or webpage able to reach `127.0.0.1:4173` can read arbitrary workspace files, which may include drafts, configs, generated themes, or other sensitive project material unrelated to preview rendering.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The preview HTML embeds externally hosted image URLs containing temporary credential-bearing query parameters such as X-Amz-Credential, X-Amz-Security-Token, and X-Amz-Signature. Even in a local preview, opening the file causes the browser to make outbound requests and expose these signed URLs to the client, browser history, logs, proxies, and anyone with access to the file, which can leak temporary access and violate the local-only preview expectation.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This HTML preview hard-codes external image URLs containing presigned query parameters and a long security token, which exposes credential-like access material to anyone who can read the file, browser history, logs, or screenshots. In a local preview workbench, opening the file also causes remote fetches to a third-party domain, creating unnecessary data egress and allowing token reuse until expiry.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file content does not match the declared skill purpose of a local Markdown/article workbench. Instead it is a copied WeChat login-timeout/error page that loads remote platform assets and could mislead users into interacting with an unrelated interface, increasing phishing, credential-handling, and supply-chain risk in a skill that is supposed to be local-only.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The page sends telemetry and error details to external WeChat endpoints such as badjs.weixinbridge.com and mp.weixin.qq.com. For a claimed local preview/workbench, this creates unnecessary outbound network activity and can leak browsing context, local page URLs, and usage metadata to third parties without clear user consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README describes an optional push to the WeChat draft box but does not explicitly state that article text, metadata, and media assets will be transmitted to an external third-party platform. In a publishing workflow skill, this omission can cause users to unintentionally send sensitive or unpublished content outside the local environment under the mistaken assumption that the tool is only a local preview workbench.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Pushing content to the WeChat draft box sends article text and related metadata to an external publishing platform, yet the skill text does not explicitly warn about that transmission. In a publishing workflow, this can expose sensitive drafts, unpublished content, or regulated material if users assume the workbench is purely local until they manually review outbound actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions tell users to obtain and paste an `SK` token from an external site without any credential-handling guidance, which risks secret leakage, reuse of sensitive tokens in insecure contexts, or phishing-style trust transfer. Because this skill also operates a local server and uses external services, mishandled tokens could grant unauthorized access to publishing or image-generation resources.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The page copy describes packaging and draft pushing in a way that implies automatic downstream actions, but it does not warn users about external transmission or effects on their WeChat account. In a publishing tool, lack of clear notice around outbound processing and account-affecting actions weakens informed consent and increases the chance of accidental disclosure or unintended publication workflow changes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The upload panel says import will attempt image generation, but it does not disclose that article-derived content may be sent to an external image provider. If users import sensitive drafts, titles, summaries, or embedded prompts could be transmitted without meaningful notice. In this skill context, that increases privacy and confidentiality risk because the tool is positioned as a local workbench.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The draft-push section provides a direct button to push to the WeChat draft box without any visible warning or confirmation about account-side effects. Even though it targets drafts rather than immediate publication, it still modifies the user's connected platform state and may upload article content and selected media. A missing confirmation step raises the risk of accidental account actions and unintended content transmission.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal