Back to skill

Security audit

WeCom文件检测

Security checks across malware telemetry and agentic risk

Overview

This WeCom file helper is mostly purpose-aligned, but it can scan local chat attachments on broad prompts and encourages copying sensitive files into persistent work folders without clear confirmation.

Install only if you want your agent to inspect WeCom inbound attachments under ~/.openclaw/media/inbound/. Use explicit filenames or confirm the target file before opening it, and require a clear approval step before copying anything into companywork/ or retaining sensitive documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill’s stated purpose is detecting and retrieving WeCom inbound files, but it additionally instructs the agent to create directories and copy files into companywork/. That expands scope from read-oriented discovery into persistent filesystem modification, which can duplicate sensitive documents, move data into broader-access locations, and cause unintended retention without explicit user consent or policy checks.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation conditions are broad enough to trigger on generic file-related requests such as getting or sending files, without clearly limiting the source to WeCom inbound attachments. Overbroad triggering can cause the wrong skill to activate, leading the agent to inspect local message-file directories or surface files the user did not intend to access.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The repeated trigger language remains ambiguous and lacks scope boundaries, reinforcing that the skill may run for common attachment-related requests outside its intended context. In practice, this increases the chance of unintended file enumeration or access from a sensitive local directory containing prior chat-delivered documents.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill describes scanning, reading, and processing files from a user message directory but gives no privacy notice, consent boundary, or warning that it may inspect potentially sensitive documents stored locally. Because chat attachments often include confidential business material, this context makes silent enumeration and reading more dangerous than ordinary file access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The archiving step copies files into companywork/ without warning that this modifies local storage and creates additional copies of potentially sensitive documents. This can increase data exposure, retention, and compliance risk, especially if the target directory is synchronized, shared, or less access-controlled than the inbound location.

Session Persistence

Medium
Category
Rogue Agent
Content
重要文件应存档到 companywork/ 相关目录:
```bash
mkdir -p companywork/AI赋能计划/
cp "源文件" "companywork/目标目录/"
```
Confidence
91% confidence
Finding
mkdir -p companywork/AI赋能计划/ cp "源文件" "companywork/目标目录/" ``` ## 常用命令 ```bash # 查看最近的文件 ls -lt ~/.openclaw

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.