ClawHub

"微信公众号草稿上传"

Security checks across malware telemetry and agentic risk

Overview

This skill appears to automate WeChat draft publishing, but its artifacts reportedly include under-disclosed draft-reading/export behavior and exposed WeChat credentials.

Review before installing. Only use this if you trust the publisher and have rotated or replaced any embedded WeChat credentials. Treat it as capable of reading and exporting existing WeChat drafts, not just uploading Markdown, and avoid running it from directories where untrusted files could affect execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (14)

exec() call detected

High
Category
Dangerous Code Execution
Content
sys.stdout = io.TextIOWrapper(sys.stdout.buffer, encoding='utf-8')
sys.stderr = io.TextIOWrapper(sys.stderr.buffer, encoding='utf-8')

exec(open('upload_draft.py', encoding='utf-8').read())
Confidence
97% confidence
Finding
exec(open('upload_draft.py', encoding='utf-8').read())

Direct flow: open (file read) → exec (code execution)

High
Category
Data Flow
Content
sys.stdout = io.TextIOWrapper(sys.stdout.buffer, encoding='utf-8')
sys.stderr = io.TextIOWrapper(sys.stderr.buffer, encoding='utf-8')

exec(open('upload_draft.py', encoding='utf-8').read())
Confidence
98% confidence
Finding
exec(open('upload_draft.py', encoding='utf-8').read())

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly instructs reading local files, generating or saving content locally, and calling external WeChat APIs, but it does not declare corresponding permissions. This creates a trust and review gap: operators may approve or invoke the skill without realizing it can access local content and transmit data over the network, increasing the chance of unintended data exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is uploading a local Markdown article to WeChat drafts, but the analyzed behavior reportedly also includes listing existing drafts, searching by title, fetching drafts, printing full draft HTML, saving existing draft content locally, and using hardcoded credentials and paths. Those extra capabilities materially expand data-access scope and could expose sensitive unpublished content or secrets, especially if users invoke the skill expecting only a one-way upload.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill manifest says it uploads local Markdown articles to the WeChat draft box, but this script instead enumerates existing drafts, retrieves full article HTML, and exports it locally. That capability materially expands data access beyond the stated purpose and can expose sensitive unpublished content, making it a functionality-mismatch vulnerability rather than a harmless implementation detail.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code prints full draft content and writes it to a local HTML file, creating an extraction/export path not justified by the stated upload workflow. In this skill context, unpublished WeChat drafts may contain confidential marketing, legal, or embargoed material, so silent local export increases confidentiality risk and broadens the blast radius if the host is shared or compromised.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script's behavior materially exceeds the stated skill purpose: instead of only uploading local Markdown into the WeChat draft box, it retrieves existing drafts, prints their full HTML, and exports them to disk. In a skill that is expected to perform create/upload actions, adding read-and-export capability increases the risk of unauthorized content disclosure and makes credential misuse more dangerous.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code writes retrieved draft HTML and metadata to a local file, creating a persistent local copy of potentially sensitive unpublished content. This is not justified by the declared upload/create-only purpose and can expose confidential drafts to other local users, backups, logs, or unintended downstream processing.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The wrapper hardcodes a specific WeChat appid and secret into sys.argv, binding the skill to fixed credentials that are unrelated to the invoking user. In a reusable agent skill, this can cause unintended use of the author's account, credential exposure, and cross-tenant abuse if the skill is shared or inspected.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrases are broad enough that the skill may activate in loosely related publishing scenarios without clear boundaries. In a skill that reads local files and sends content to an external platform, accidental invocation can cause unintended processing or disclosure of user content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Passing the AppSecret on the command line can expose it through shell history, process listings, CI logs, and telemetry. In this context the secret grants API access to the official account, so leakage could enable unauthorized draft access, content manipulation, or broader account abuse depending on associated privileges.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The script silently writes retrieved draft HTML to a local file, which can leave sensitive unpublished content at rest on disk without the user's informed consent. While local export is not inherently malicious, doing it automatically in a skill advertised for uploading increases the chance of accidental disclosure through backups, shared folders, or later exfiltration.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The AppSecret is accepted as a command-line argument, which can expose it through shell history, process listings, audit trails, and automation logs. Because the same credential is then used to obtain an access token for draft retrieval, compromise of the secret can enable broader unauthorized access to the associated WeChat public account.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script contains a hardcoded WeChat secret in plaintext, which is a direct credential exposure issue. Anyone with access to the repository, logs, backups, or the distributed skill can extract the secret and use the associated public account API privileges, potentially uploading content or accessing account resources.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal