ClawHub

mp-weixin

Security checks across malware telemetry and agentic risk

Overview

This is a coherent WeChat article extraction skill, but users should avoid using it to bypass verification or scrape with logged-in cookies.

Install only if you need to extract public WeChat article content. Use only intended mp.weixin.qq.com URLs, avoid logged-in cookies unless you are authorized and understand the risk, do not use it for CAPTCHA bypass or restricted scraping, and review JSON output paths before running automated workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Low
Confidence
82% confidence
Finding
The documentation provides a ready-made example that saves extracted article data to article.json without warning the user that content will be persisted locally. Silent or poorly signposted file creation can expose sensitive scraped data, create privacy issues, or overwrite files in automated workflows.

Ssd 2

Medium
Confidence
93% confidence
Finding
The claim that using a WeChat User-Agent can 'bypass captchas' promotes anti-bot evasion behavior against platform protections. Even though this is documentation rather than executable code, guidance that normalizes bypassing verification can encourage misuse, trigger account or IP blocking, and place downstream users into policy-violating scraping workflows.

Ssd 4

Medium
Confidence
91% confidence
Finding
The notes recommend steps such as controlling request frequency, using a fixed User-Agent, and using logged-in cookies when verification is encountered, which collectively normalize restricted scraping and anti-verification evasion. In context, this increases the likelihood that users will adapt the skill for unauthorized or policy-violating collection at scale.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal