ClawHub

wechat-article-fetcher

Security checks across malware telemetry and agentic risk

Overview

The skill mainly does what it promises, but it automatically starts a background web server that may expose the entire OpenClaw workspace, not just the saved article.

Review before installing, especially if your OpenClaw workspace may contain private files. Prefer using it only in a clean workspace, stop any server it starts after use, and ask the publisher to make HTTP serving opt-in, localhost-only, and limited to a dedicated output folder.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation advertises and demonstrates network access and local file creation, but it does not declare corresponding permissions. Hidden or undeclared capabilities reduce informed consent and make it harder for a host system or user to apply least-privilege controls before execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The stated purpose is article fetching and offline saving, but the skill also exposes saved content through a local HTTP server and handles video cover downloading/link rewriting. This behavioral expansion increases attack surface because serving files over HTTP may expose local content beyond the user's expectation, especially if the server binds broadly or runs automatically.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script's stated purpose is to fetch a WeChat article, but it additionally starts an HTTP server rooted at /root/.openclaw/workspace, which can expose unrelated local files. This creates an unexpected data exposure path beyond article retrieval, especially because the server is launched automatically and in the background without narrowing the served directory.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
`python3 -m http.server` serves the current directory recursively, and here the script changes into /root/.openclaw/workspace before launching it. That means the whole workspace may be exposed over HTTP, which is not necessary for simply fetching or saving a WeChat article and could leak sensitive files to other reachable hosts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill omits a clear warning that it writes files/directories locally and serves saved articles over HTTP. In context, this matters because users may expect a simple fetcher, not persistent local storage plus network-serving behavior, which can lead to unintentional data exposure or unsafe execution in sensitive environments.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes broad natural-language phrases such as '微信文章', '公众号文章', and '保存微信文章', which can cause the skill to auto-activate for generic WeChat article discussions rather than only explicit fetch requests or mp.weixin.qq.com URLs. In an agent setting, overbroad activation can lead to unintended network access, content retrieval, or tool invocation on ambiguous user input, increasing the risk of surprising behavior and data handling beyond user intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script silently starts a background HTTP server if the chosen port is not already in use, with no explicit consent or warning that local files may become accessible. Backgrounding the service makes the exposure less visible to the user and increases the chance that it remains running unintentionally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal