ClawHub

WeChat Proactive Push

Security checks across malware telemetry and agentic risk

Overview

The skill is openly designed to send proactive and silent WeChat messages, but it uses local OpenClaw account data to bypass platform messaging limits with limited consent and privacy guardrails.

Install only if you control the OpenClaw WeChat account and have clear consent from the recipient. Treat openids, bot account files, and context-token files as sensitive; avoid running the cron probe unless you intentionally want recurring outbound traffic. Review the installer first, especially the silent verification probe and local symlinks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The installer executes ${EDITOR:-nano} directly, so a user-controlled EDITOR environment variable can cause arbitrary commands or unexpected binaries to run during installation. This is a real code-execution risk in environments where EDITOR is inherited from untrusted shell startup files, wrapper scripts, or social-engineered setup instructions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly promotes proactive WeChat messaging that bypasses the official 24-hour messaging limit and includes a silent push mode for health probes, but it does not warn about consent, privacy, or the user-impact of sending messages to a personal messaging account. In this context, omission of those warnings is dangerous because the skill is designed to deliver outbound messages to users' phones and could be used for undisclosed monitoring, spam, or policy-violating contact.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The automation section provides a cron example that sends recurring probe traffic every 15 minutes and alerts on link failure, but it omits any warning that this creates continuous scheduled outbound messaging behavior. Given the skill's stated purpose of bypassing WeChat's normal communication limits, automatic probes materially increase the risk of unnoticed user-data exposure, messaging abuse, operational noise, and policy violations.

Missing User Warnings

High
Confidence
91% confidence
Finding
This skill is explicitly designed for proactive WeChat messaging and even claims to bypass the platform's 24-hour messaging limit, yet it provides no explicit warning about consent, privacy, or policy compliance. In context, that makes the omission more dangerous because the feature can be used for unsolicited contact, privacy violations, or actions that breach platform rules.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script prints the full configured openid directly to stdout, which exposes a user identifier to terminal logs, shell history capture tools, CI logs, screen recordings, or other observers with local access. In a troubleshooting utility this is contextually less severe than credential leakage, but it is still unnecessary disclosure of potentially sensitive account metadata.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script prints the full openid to the terminal after reading it from the config file. Although this is not direct code execution, it unnecessarily exposes an identifier that may be captured by terminal logs, screen sharing, shell recording tools, or shoulder surfing.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
The skill forwards arbitrary message content, target openid, and selected account to an external messaging channel without any explicit consent, warning, or data-handling disclosure at the point of transmission. In a messaging/push skill this is functionally expected, but it still creates a real privacy and misuse risk because sensitive data can be sent off-host or to the wrong recipient through auto-detected accounts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly tells readers where to retrieve locally stored OpenClaw account/context token data, which can enable unauthorized message sending or account impersonation if those files are accessed by an untrusted operator or co-located process. In this skill’s context—focused on bypassing messaging restrictions and troubleshooting bot/session behavior—these instructions materially increase the risk of credential misuse rather than serving as neutral documentation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal