ClawHub

weibo-auto-post

Security checks across malware telemetry and agentic risk

Overview

This Weibo automation is mostly disclosed and purpose-aligned, but it can post publicly from a logged-in account, run scheduled posts, take screenshots, overwrite the clipboard, and delete matching files with weak safeguards.

Install only if you are comfortable with an agent operating your desktop and publishing to a live Weibo account. Use a test account or separate browser profile, require manual review before each post, avoid unattended cron jobs until you add a dry-run or approval gate, and change cleanup to a dedicated temporary folder that deletes only files created by that run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
$img.Dispose()
Write-Output "CLIPBOARD_OK"
'''
        result = subprocess.run(["powershell", "-Command", ps_cmd], capture_output=True, text=True)
        if result.returncode == 0:
            print(f"[clipboard] Image copied: {args.image}")
        else:
Confidence
97% confidence
Finding
result = subprocess.run(["powershell", "-Command", ps_cmd], capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill invokes shell commands and appears to rely on environment access, but it does not declare permissions or clearly bound those capabilities. In practice this hides impactful behavior from users and hosts, making it easier for the skill to execute local commands, manipulate files, and interact with the system without informed approval.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose understates several impactful behaviors: screenshot capture, local file deletion, and browser-driven posting on a logged-in account. This mismatch is dangerous because users may authorize a seemingly simple image/posting helper without realizing it can capture screen contents and remove local files, which increases privacy and integrity risk.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger phrases are broad enough to match ordinary requests like 'help me post to Weibo' or 'generate a Weibo image,' which can cause the skill to activate in situations where the user did not intend full automation. In this context, overbroad activation is more dangerous because the skill can post publicly, use browser automation, and delete files afterward.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes automatic public posting and deletion of local files but does not present an explicit warning or consent step for those high-impact actions. Because it acts on a logged-in social media session and removes files using wildcard patterns, accidental or misunderstood execution could cause unauthorized posts, privacy exposure, or unintended data loss.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
These instructions explicitly tell the agent to perform browser automation to publish to Weibo, write execution records to a local file, and delete local image files, but they do not present these as side effects requiring explicit user acknowledgement. In a skill whose purpose is automated posting, undisclosed posting and filesystem modification materially increase the risk of unintended account actions, duplicate posts, and silent local data changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example cron payload instructs the agent to search trending topics, generate content, post through browser automation, and record links into a local markdown file, yet the guide frames this as normal setup without any warning that future scheduled runs will autonomously act on the user's account and modify local state. Because this is a recurring cron job, the lack of disclosure is more dangerous than a one-off action: it can repeatedly post or edit files without fresh review.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script silently deletes files from a fixed Pictures path and the TEMP directory using broad wildcard patterns, without explicit user confirmation. In an automation skill that manipulates the user's desktop, unexpected file deletion is risky because it can remove legitimate user files matching the pattern and reduces user control over side effects.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function overwrites the system clipboard with user text without warning or restoring prior contents. In a desktop automation skill, clipboard hijacking is security-relevant because it can disrupt user workflows, destroy sensitive copied data, and create opportunities for unintended pastes into other applications if focus changes.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal