ClawHub

wechat-manager

Security checks across malware telemetry and agentic risk

Overview

This WeChat skill is purpose-built for chat management, but it needs Review because it handles private messages, contacts, monitoring, and auto-reply rules without clear consent or safety limits.

Install only if you are comfortable giving an agent access to WeChat-derived message and contact data. Use it on a dedicated, trusted account or workspace, review the openclaw-weixin permissions, avoid shared agent sessions, and treat auto-reply rules as account actions that should be explicitly reviewed before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises capabilities such as file archiving and content extraction, and the static analyzer detected file read/write behavior, but the manifest does not declare any corresponding permissions or scope. This creates a transparency and least-privilege problem: users and the platform cannot clearly assess what local file access the skill may perform, which is especially risky for a chat-management skill handling sensitive message data and attachments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README advertises chat analytics, content extraction, contact management, and auto-reply over WeChat data but provides no privacy, consent, retention, or access-control warnings. In a messaging skill, this omission is security-relevant because users may enable sensitive message processing without understanding that personal conversations and contact data are being analyzed or acted on.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The usage example '设置自动回复' promotes automatic replies without warning that the system may send messages on the user's behalf. For a WeChat-integrated agent, this can lead to unintended impersonation, accidental disclosure, spam-like behavior, or policy violations if users enable the feature without understanding its scope and triggers.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger description is very broad and covers many common WeChat-related terms, making accidental activation likely during ordinary conversation. For a skill that can access messages, contacts, files, and monitoring features, overbroad invocation increases the chance of unintended exposure or actions without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation conditions are ambiguous because they describe broad categories like viewing messages, managing contacts, and extracting chat information without clear boundaries or consent gates. In this context, ambiguity is dangerous because the skill operates on privacy-sensitive communications data and could be invoked for passive monitoring or analysis when the user did not intend to grant that level of access.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill description promotes access to chats, contacts, file archiving, and '朋友圈监控' without any warning about privacy, consent, retention, or monitoring implications. Because these features involve highly sensitive personal and social data, the lack of disclosure materially increases the risk of covert surveillance, overcollection, and misuse by users who may not understand the scope of access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script reads a local database of WeChat messages and prints links, todo items, and addresses directly to stdout without any warning, confirmation, minimization, or masking. This can expose highly sensitive personal and conversational data to logs, terminals, or downstream tools, especially in an agent environment where command output may be captured automatically.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal