ClawHub

wxauto

Security checks across malware telemetry and agentic risk

Overview

This WeChat automation skill is mostly purpose-aligned, but it grants broad access to private messages and can start a local service and send tokens/data to configurable endpoints with weak guardrails.

Review before installing. Use only with your own authorized WeChat account, change the default token, keep the API bound to localhost/127.0.0.1, avoid remote BASE_URL values unless you fully trust the endpoint, and do not allow automatic service startup unless you have inspected and trust the wxauto-restful-api directory being executed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Start service in background
        if sys.platform == "win32":
            subprocess.Popen(
                [sys.executable, "run.py"],
                cwd=str(service_dir),
                env=env,
Confidence
93% confidence
Finding
subprocess.Popen( [sys.executable, "run.py"], cwd=str(service_dir), env=env, creationflags=subprocess.CREATE_NO_WINDOW | sub

subprocess module call

Medium
Category
Dangerous Code Execution
Content
creationflags=subprocess.CREATE_NO_WINDOW | subprocess.DETACHED_PROCESS
            )
        else:
            subprocess.Popen(
                [sys.executable, "run.py"],
                cwd=str(service_dir),
                env=env,
Confidence
93% confidence
Finding
subprocess.Popen( [sys.executable, "run.py"], cwd=str(service_dir), env=env, stdout=subprocess.DEVNULL, stde

Tainted flow: 'base_url' from os.environ.get (line 129, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
def check_service_alive(base_url):
    """Check if service is responding."""
    try:
        resp = requests.get(f"{base_url}/", timeout=3)
        return resp.status_code == 200
    except Exception:
        return False
Confidence
95% confidence
Finding
resp = requests.get(f"{base_url}/", timeout=3)

Tainted flow: 'url' from os.environ.get (line 236, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
url = f"{BASE_URL}{endpoint}"
    try:
        if method == "GET":
            resp = requests.get(url, headers=get_headers(), timeout=10)
        else:
            resp = requests.post(url, headers=get_headers(), json=data or {}, timeout=10)
        return resp.json()
Confidence
97% confidence
Finding
resp = requests.get(url, headers=get_headers(), timeout=10)

Tainted flow: 'url' from os.environ.get (line 236, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
if method == "GET":
            resp = requests.get(url, headers=get_headers(), timeout=10)
        else:
            resp = requests.post(url, headers=get_headers(), json=data or {}, timeout=10)
        return resp.json()
    except requests.exceptions.ConnectionError:
        print("Error: Cannot connect to service. Start with: python run.py")
Confidence
98% confidence
Finding
resp = requests.post(url, headers=get_headers(), json=data or {}, timeout=10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions while its documented behavior clearly requires environment access, file reads, network communication, and shell/process execution. This under-disclosure is dangerous because users and policy systems cannot accurately assess that the skill can read local configuration, contact a local service, and launch processes on the host.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill description emphasizes WeChat automation, but the documented behavior also includes discovering local service directories, reading status files, auto-starting a backend via subprocess, and querying account/session information. That mismatch materially expands the operational scope and increases risk because a user may authorize messaging automation without realizing the skill can inspect local state and launch background processes.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill automatically starts and manages an external local service when no running instance is found. In this context, that expands the attack surface beyond merely operating WeChat through an API client and can unexpectedly execute local code or trust attacker-manipulated service metadata/files.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Executing a local Python service subprocess is a sensitive capability not inherently required for simple API consumption. In a messaging automation skill, this increases risk because compromise of the referenced service path results in local arbitrary code execution under the user's account.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises reading chat history, monitoring new messages, and retrieving friend/group lists, but it does not provide a clear privacy warning or consent boundary for handling highly sensitive personal communications and contact data. In this context, the capability is expected for WeChat automation, but the absence of explicit privacy disclosure makes accidental over-collection and misuse more likely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation states that the script may automatically start the local wxauto-restful-api service if it is not running, but it does not clearly warn users that a new local process may be launched. Silent or unexpected process execution is security-relevant because it changes host state, may expose a local HTTP endpoint, and can surprise users who only expected a simple client-side command.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The CLI help epilog prints the current TOKEN value directly, which can expose credentials in terminal output, logs, screenshots, command wrappers, or support bundles. Since this token authenticates access to WeChat automation APIs, disclosure can let another local or nearby observer use the service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script transmits message contents, chat history queries, contact names, and related metadata over plain HTTP by default. In a WeChat automation context this data is highly sensitive, and using cleartext transport creates confidentiality and integrity risk if the endpoint is not strictly loopback or if traffic is intercepted locally.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal