ClawHub

WeChat Article to Obsidian

Security checks across malware telemetry and agentic risk

Overview

This skill coherently fetches user-provided WeChat article links, converts them to Markdown, and saves them into a configured Obsidian vault, with local-file-write risks disclosed enough for a benign verdict.

Install only if you want an agent to create Markdown files in your Obsidian vault. Set vault_disk_root carefully, test with a non-sensitive folder first, and review the resolved save path because the saver will create folders and may overwrite an existing note with the same title.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to execute shell commands and write files, including persistent writes to both the Obsidian vault and a config.json file, but does not declare corresponding permissions. Undeclared capabilities weaken reviewability and consent boundaries, making it easier for a skill to perform filesystem changes the platform or user did not clearly authorize.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill description claims 'zero external dependencies' beyond curl and Node.js, but the body requires Python, Playwright, and a browser for fallback, and describes behavior broader than the headline suggests. This mismatch can mislead users and reviewers about what will be installed or executed, reducing informed consent and obscuring the true attack surface, especially because browser automation materially increases execution complexity.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly promotes direct writes into the user's Obsidian vault but does not clearly warn that running the skill will modify local files on disk. In an agent-executed context, users may treat the action as a harmless import step and not realize the agent will create folders and write notes, increasing the risk of unintended file modification or mis-targeted saves if configuration is wrong.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README describes fetching article content with curl and a browser fallback, but it does not clearly disclose the privacy implications that URLs and article contents are transmitted over the network and, in fallback mode, rendered in a real browser context. Users may unknowingly expose reading targets, authenticated browsing state, or fetched content to external services or local browser tooling depending on how the fallback is configured.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs persistent writes to config.json and to files inside the user's Obsidian vault without an explicit warning or confirmation step before those writes occur. In a note-taking context this is especially sensitive because the vault is user content storage; ambiguous path parsing from natural language could cause unintended file placement or overwrite of existing notes.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad phrases such as "保存微信", "导入微信", and "wechat article" without tighter constraints that clearly bind invocation to WeChat article clipping into Obsidian. This can cause the skill to activate in conversations where the user did not intend file-writing or external fetching behavior, increasing the chance of unintended data retrieval or note creation. In this skill's context, the risk is somewhat elevated because the capability includes direct vault saving, so accidental invocation has side effects on local files.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal