ClawHub

微信公众号文章抓取

Security checks across malware telemetry and agentic risk

Overview

This WeChat article scraper has a real credential-handling problem: it ships and uses an embedded authenticated WeChat cookie instead of relying on the user-controlled cookie file described in the documentation.

Review this version carefully before installing or running it. Remove the embedded cookie, rotate or revoke the exposed WeChat session if it belongs to you, and only use a version that reads a user-supplied credential from a protected secret/config location with clear warnings about cookie sensitivity and the exact WeChat endpoints contacted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation indicates functionality that requires outbound network access, but no permissions are declared. This creates a transparency and policy-enforcement gap: users and the platform cannot accurately assess or constrain what the skill is allowed to do, which is risky for a scraper that contacts external services. In this context, the omission is more dangerous because the skill targets authenticated WeChat endpoints and handles session material.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
If the underlying code uses a hardcoded authenticated WeChat cookie, that is a serious hidden behavior not disclosed by the description. Embedding a live session credential in code can grant unauthorized access to a WeChat account, enables account/session compromise if the skill is shared, and violates the principle of least surprise. The skill context makes this more dangerous because the stated purpose is ordinary article scraping, so users may not expect bundled account credentials or authenticated access behind the scenes.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script embeds a live authenticated WeChat cookie directly in source code, including multiple session identifiers and token material. Anyone with access to the skill can reuse that session to access or act as the associated WeChat account, which turns the skill into a credential distribution mechanism rather than a simple article fetcher.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs users to copy an authenticated Cookie from browser developer tools and store it locally, but does not clearly warn that this cookie is a sensitive credential that may provide account access if leaked. This can lead users to mishandle a powerful session token, commit it to disk insecurely, or share it inadvertently. In this context, the risk is elevated because the cookie is tied to mp.weixin.qq.com administrative access rather than a low-value public API token.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script transmits the full authenticated WeChat cookie on every request without clear consent, warning, or scope limitation. Because the cookie represents an authenticated browser session, sending it from an automation tool exposes account privacy and enables misuse if logs, errors, or downstream systems capture request headers.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal