Back to skill

Security audit

OpenClaw Weixin Channel

Security checks across malware telemetry and agentic risk

Overview

This appears to be a functional WeChat channel plugin, but it needs review because it includes under-documented debug/log features and broad media URL handling that could expose data or be abused.

Install only if you are comfortable giving this plugin ongoing access to a WeChat account, local OpenClaw state, saved tokens, logs, and network media URLs. Before broad use, review or fix the pre-authorization slash command handling, document or restrict debug and log-upload features, and add URL validation plus size/time limits for remote media downloads.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
72% confidence
Finding
The skill declares no permissions even though its documented behavior clearly implies network access and handling of environment/runtime state. Missing permission declarations weaken review and user consent, making it easier for a plugin with messaging and login capabilities to overreach without explicit visibility.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose omits materially sensitive behaviors: uploading local log files to arbitrary remote URLs, undocumented slash commands, and persistent storage of authorization/session state. In a messaging plugin, these hidden capabilities increase the risk of data exfiltration, abuse of debugging features, and unsafe handling of authentication artifacts without informed user approval.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
When debug mode is enabled, the code sends detailed internal diagnostics back to the message sender, including timing data, routing behavior, and whether OPENCLAW_STATE_DIR is set. In a messaging-channel plugin, exposing operational internals to external users increases information disclosure risk and can help an attacker profile backend behavior, deployment layout, and troubleshooting state.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code fetches an arbitrary URL and writes the response to local disk without any validation, allowlisting, size limits, or SSRF protections. In a messaging/channel integration, attacker-controlled URLs could trigger server-side requests to internal services or cause disk consumption through large downloads, making this more dangerous than a simple UX omission.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/log-upload.ts:76

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/api/api.ts:83