ClawHub

Research To Wechat

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly aligned with WeChat article production, but it can use WeChat credentials to upload content and change account drafts, and it includes a fetcher that impersonates a WeChat client.

Install only if you intentionally want an agent to prepare WeChat drafts with your official-account credentials. Use dedicated or least-privilege credentials where possible, review the exact article files and images before any upload, avoid ambiguous prompts like 'save it' unless you want account-side draft changes, and be aware that the bundled WeChat fetcher may violate platform scraping expectations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares powerful capabilities in practice—environment access, filesystem read/write, network access, and shell execution—without an explicit permissions declaration or user-facing consent boundary. That makes it harder for a reviewer or runtime to reason about what the skill may do, especially since it also handles WeChat credentials and draft delivery, increasing the risk of unexpected data access, outbound requests, or command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented purpose emphasizes research and article transformation, but the skill also fetches public WeChat articles, downloads remote images, checks credential readiness, and includes an installer script. This behavior gap is dangerous because users may invoke the skill expecting content generation only, while it performs additional network, local-environment, and installation-related actions that expand the trust boundary.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script explicitly states it bypasses anti-scraping by impersonating a WeChat client, which is a deliberate evasion mechanism rather than ordinary fetching. In the context of an agent skill, this increases legal, policy, and abuse risk because it enables automated access to content behind platform scraping controls.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation presents the tool as a simple article fetcher while also admitting that it bypasses anti-scraping defenses. That mismatch is dangerous because it obscures the true behavior from reviewers and users, making risky data acquisition easier to deploy without informed consent or controls.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to upload images and save drafts using `WECHAT_APPID` and `WECHAT_SECRET`, but it does not clearly warn that article content, images, and associated metadata will be transmitted to Tencent/WeChat services. In a content-production skill, that omission can lead users to unknowingly send sensitive drafts or credentials into external systems, creating privacy and operational risk even if the behavior is expected.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill performs credential-dependent WeChat API operations and external draft delivery but does not prominently warn users in the description that it may use app credentials and send content to third-party services. This weakens informed consent and can lead to unintended use of sensitive environment variables or unintended transmission of article content and images.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The examples instruct the agent to save outputs directly to a WeChat draft box, which implies transmitting generated content and related metadata to an external platform with account-side effects. Because the prompt examples do not explicitly require user confirmation or warn about external transmission, a user may trigger draft creation without understanding that content is leaving the local workflow and affecting a connected account.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Referencing WECHAT_APPID and WECHAT_SECRET in example flows normalizes use of sensitive credentials without any accompanying guidance on secure handling, storage, or redaction. In an agentic environment, this increases the risk that secrets are exposed in logs, prompts, manifests, error messages, or downstream tooling, especially when users are encouraged to 'just use' official APIs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs uploading images to WeChat using app credentials and transmitting local assets to external APIs, but it does not require explicit user consent or a clear warning that content and credentials will be sent off-platform. In an agent setting, that creates a real risk of unintended external data disclosure and account-affecting actions, especially because referenced images may contain sensitive material.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The save-draft flow performs an external write to a live WeChat account and can create, update, or replace drafts, including deleting old drafts as part of remediation, without requiring a final user approval step. That is dangerous because it enables unintended modification of external state and possible loss of existing draft content if the agent acts automatically or on ambiguous instructions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal