ClawHub

企业微信存档服务

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Enterprise WeChat archive service, but it ships with hardcoded enterprise credentials and exposes sensitive chat-archive APIs without adequate built-in access controls.

Do not deploy this unchanged. Remove and rotate the embedded WeCom credentials, make the service read only your own secret store/config, remove fixed third-party domain constants, disable or protect debug/query endpoints, add strong authentication and network restrictions before any tunnel/public exposure, and verify encryption, retention, logging, and legal/employee-notice requirements for archived chats. VirusTotal was pending and the static scan was clean, but the Review verdict is based on the artifact-backed issues above.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises deployment and operation steps that clearly require file I/O, network access, and shell execution, but it does not declare permissions or capabilities up front. This creates a transparency and trust problem: users may approve or run the skill without understanding that it can install software, expose services, write databases, and handle external callbacks.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior appears broader than the declared purpose, including active outbound messaging, debug functionality, query/statistics interfaces, lifecycle scripts, and mention of embedded credentials/configuration. When a skill handling enterprise chat archives understates its true behavior, operators may expose sensitive systems or data without realizing the full attack surface, especially if undocumented endpoints or hardcoded secrets exist.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The service exposes message archive query and statistics endpoints without any authentication or authorization checks, allowing any network client to retrieve archived enterprise chat content and metadata. In the context of a WeWork archiving service, this is especially dangerous because the stored data can include sensitive internal communications, making unauthorized disclosure highly likely if the service is reachable.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The `/debug/signature` endpoint exposes a public utility that will verify arbitrary signatures using attacker-supplied inputs, which is unrelated to the production business purpose and increases the attack surface. Although it does not directly reveal secrets, leaving debug functionality exposed can aid reconnaissance, misuse, and future chaining with other weaknesses.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
README明确宣传“会话内容存档”“消息查询”等能力,但没有在功能介绍处充分提示其将收集、存储并可能处理员工聊天记录、群聊信息等高敏感数据。对这类企业通信内容,缺乏显著风险告知会降低部署者对隐私、合规、访问控制和数据泄露后果的重视,从而增加误部署或过度采集的风险。

Missing User Warnings

Medium
Confidence
94% confidence
Finding
README列出了/messages、/stats、/config、/backup等查询和管理接口,但未明确说明鉴权、来源限制或配置脱敏要求,容易让使用者按文档直接暴露这些接口。若实际部署时未加认证或网络隔离,攻击者可能读取消息内容、获取配置信息甚至触发备份,导致敏感通信数据和密钥相关信息泄露。

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly stores and exposes query interfaces for archived enterprise chat content but does not prominently warn about the sensitivity of personal, legal, business, or regulated data that may be captured. Without strong access-control and privacy guidance, operators may deploy a searchable archive containing confidential communications in an unsafe manner.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The instructions encourage exposing callback and archive endpoints to the public internet via domain mapping and tunneling, but they do not clearly explain the security consequences of making a message-ingestion and archive service internet-accessible. In this context, public exposure increases risk of unauthorized probing, misconfiguration, abuse of open endpoints, and potential compromise of stored chat data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly instructs users to expose the service publicly through Cloudflare Tunnel, but it does not warn that this makes callback endpoints internet-reachable or explain the need for strict access controls, rate limiting, logging, and safe network scoping. In the context of an enterprise WeWork callback and archive service, public exposure increases attack surface and could enable probing, abuse of misconfigured endpoints, or unauthorized access if the underlying service is weakly protected.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly recommends configuring a wildcard DNS record that maps all subdomains to the tunnel, but it does not warn that this greatly expands the externally reachable namespace and can unintentionally expose services beyond the intended 企业微信 endpoint. In the context of a callback/archive service, broad exposure increases attack surface, makes hostname-based routing mistakes more dangerous, and can enable accidental publication of internal apps.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document describes decrypting and storing Enterprise WeChat archived conversation content, which is highly sensitive employee communication data, but does not prominently warn about consent, legal basis, retention limits, access restrictions, or downstream privacy obligations. In the context of a skill implementing callback and archive services, this omission can lead operators to deploy surveillance-capable functionality without adequate notice or controls, creating privacy, compliance, and insider-abuse risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document gives step-by-step instructions to enable Enterprise WeChat conversation archiving but does not clearly warn operators that this feature captures employee communications and may trigger privacy, consent, retention, labor, and cross-border data compliance obligations. In a deployment guide for an archive service, that omission is security-relevant because it can lead users to activate broad surveillance and sensitive-data collection without required approvals or safeguards.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal