critical
suspicious.dangerous_exec
- Location
- scripts/login.js:149
- Finding
- Shell command execution detected (child_process).
微信读书 AI 阅读助手
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
A compromised or malicious login page response could make the skill run unintended commands on your machine during QR login.
Why it was flagged
A URL read from the live login frame is interpolated into a shell command. If that page content ever supplies shell metacharacters or command substitution, the login script could execute unexpected local commands.
Skill content
const qrCodeUrl = await loginFrame.evaluate(() => { ... getAttribute('src') ... }); ... execSync(`curl -sL "${fullQrUrl}" -o "${QR_CODE_FILE}"`, { timeout: 10000 });Recommendation
Replace execSync with a safe download method such as Playwright/Node HTTP APIs or execFile/spawn with argument arrays, and validate the QR URL host and scheme before downloading.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Anyone or any process that can read the cookie file may be able to access your WeRead session.
Why it was flagged
The skill stores authenticated WeRead browser cookies in a local JSON file and reuses them for later account access.
Skill content
const COOKIES_FILE = path.join(PROFILE_DIR, 'weread-cookies.json'); ... const cookies = await context.cookies(); fs.writeFileSync(COOKIES_FILE, JSON.stringify(cookies, null, 2), 'utf-8');
Recommendation
Use a dedicated or low-risk WeRead account, protect the skill directory permissions, and delete profile/weread-cookies.json when you no longer need the skill.
NoteHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Your private reading history, highlights, notes, and discussions can remain in the workspace and may later be read by an agent as context.
Why it was flagged
The skill persists chapter content, annotations, notes, screenshots, and chat history as local context for future AI discussion.
Skill content
获取章节全文 → 存档和 AI 对话 → 自动拉取标注和笔记 ... 聊天记录自动保存到 books/<书名>/chat.md
Recommendation
Treat book and notes content as data rather than instructions, review the books/ directory regularly, and delete sensitive archives when finished.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
Using the skill may violate service rules or trigger account restrictions, even if it only accesses books available to your account.
Why it was flagged
The skill intentionally automates reconstruction of protected WeRead chapter text and discloses account-ban risk.
Skill content
微信读书网页版使用 CSS 绝对定位打散字符进行版权保护...按视觉坐标(top/left)排序重组,重建完整章节文本。 ... 使用工具有封号风险
Recommendation
Use it only for content you are allowed to access and export, avoid unattended bulk use, and consider the documented secondary-account advice.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
You may need to verify the code and dependency installation yourself before trusting it with account cookies.
Why it was flagged
The registry metadata does not provide a trusted source/homepage or install procedure, even though the included files depend on Node/Playwright.
Skill content
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Recommendation
Install dependencies only from trusted registries, compare the included code with any upstream repository you choose to use, and prefer a release with complete provenance metadata.