ClawHub

公众号草稿 / 发布(微信 API)

Security checks across malware telemetry and agentic risk

Overview

This WeChat publishing skill appears purpose-aligned, but it handles live publishing credentials and can send secrets and article files to a configurable API endpoint without enough scoping or safeguards.

Review before installing. Use only with a dedicated WeChat account, keep aws.env out of version control, confirm any API base or proxy points to a trusted official endpoint, and require an explicit dry run or confirmation before creating drafts or publishing live content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

Tainted flow: 'req' from pathlib.Path.read_bytes (line 514, file read) → urllib.request.urlopen (network output)

High
Category
Data Flow
Content
data=body,
                headers={"Content-Type": f"multipart/form-data; boundary={boundary}"},
            )
            with urllib.request.urlopen(req, timeout=t_up) as resp:
                return json.loads(resp.read())
        except Exception as e:
            last = e
Confidence
89% confidence
Finding
with urllib.request.urlopen(req, timeout=t_up) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill explicitly documents file reads, file writes, and outbound network requests to WeChat APIs and optional user-configured proxies, yet it declares no permissions. This creates a transparency and governance gap: an agent or platform may allow execution without surfacing that sensitive local content and credentials will be accessed and transmitted externally.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script allows `api_base` to be overridden from `aws.env` or `config.yaml` and then sends the WeChat `appid`/`secret` to that host when requesting an access token. If a local config is tampered with, the tool can be redirected to an arbitrary endpoint, turning a read-only article utility into a credential exfiltration channel and SSRF-like outbound request primitive.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases include very common verbs like '发布', '提交', '推送', and '发出去', which can match ordinary conversation and unintentionally invoke a skill that uploads article content and uses stored credentials. In this context, accidental activation is more dangerous because the skill can perform real external publication actions and transmit local files to a third-party API.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to place the WeChat AppSecret in a local `aws.env` file and only briefly says not to commit real keys, but it does not provide stronger secret-handling guidance such as using a secrets manager, file permission restrictions, rotation, or `.gitignore` enforcement. In an automation/publishing skill that directly uses privileged API credentials, this increases the chance of accidental credential leakage and unauthorized control of the公众号 publishing workflow.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide tells users to store WeChat AppID and AppSecret in a repository-root `aws.env` file but provides no warning about secret sensitivity, exclusion from version control, or safer secret-management options. In a real automation workflow, this increases the chance that credentials are accidentally committed, shared, or exposed to other tooling, enabling unauthorized use of the WeChat publishing account.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The usage guide documents commands that can upload content, use live WeChat credentials from aws.env, and directly publish articles, but it does not clearly warn users that these actions perform real external network operations and may trigger irreversible live publication. In an automation skill for production公众号 publishing, this omission increases the chance of accidental disclosure, unintended mass posting, or use of the wrong account/environment.

Credential Access

High
Category
Privilege Escalation
Content
- WECHAT_1_APPSECRET
      bins:
        - python3
    primaryEnv: aws.env
---

# 发布
Confidence
97% confidence
Finding
.env

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal