ClawHub

Wechat Oa

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real WeChat publishing tool, but it needs Review because it can delete account content and retrieve subscriber data with limited safeguards.

Install only if you administer the WeChat Official Account and are comfortable giving this skill AppID/AppSecret authority. Protect config.json, review article files and local image paths before create/update, confirm every media_id before deletion, and avoid userinfo/userlist unless you have a clear administrative need and can protect the resulting subscriber data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

High
Confidence
89% confidence
Finding
The tool advertises draft-push functionality but also exposes user analytics and identity lookup operations against the WeChat account, expanding access from content publishing into follower surveillance and personal data retrieval. In an agent-skill context, that broader capability set is dangerous because an automation caller may invoke sensitive data access that is unrelated to the stated purpose and not expected by the operator.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill exposes destructive operations such as delete, batch-del, and materialdel, including interactive and batch modes, without prominent warnings, confirmation requirements, or safety guardrails in the documented interface. In a content-management context tied to a live WeChat Official Account, mistaken or manipulated invocation could lead to irreversible loss of drafts or media assets and operational disruption.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The non-interactive material deletion path deletes arbitrary media IDs immediately, without confirmation, dry-run mode, or strong user-facing warning. In an agent setting this can lead to irreversible destructive actions from malformed prompts, accidental invocation, or abuse of the skill to wipe assets.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Draft deletion is directly exposed as a command with no explicit destructive-action warning and no confirmation in non-interactive flow. Although limited to drafts, this still enables unintended or malicious loss of unpublished content if invoked by an automated agent or careless operator.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal