ClawHub

zhihu-to-wechat

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent WeChat draft workflow, but it handles powerful account credentials and cached tokens with too little scoping and user control.

Install only if you are comfortable giving this skill access to a WeChat service account and letting it create drafts and upload media. Prefer environment variables or a credential vault over chat context, avoid pasting browser cookies, review generated content and images before draft creation, and remove or rotate cached WeChat tokens after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill describes executable behavior that uses environment variables, local files, file generation, and outbound network access, but it declares no permissions or trust boundaries. This creates a mismatch between what the skill can do and what reviewers or users may expect, increasing the chance of unreviewed data access, secret use, and external publication actions.

Vague Triggers

High
Confidence
95% confidence
Finding
The skill uses broad trigger phrases such as general requests for public-account articles and mandates that the skill must activate, which can cause it to run in many ordinary writing scenarios without clear user intent. Because the workflow includes credential collection, web access, file generation, and draft publication, accidental activation materially increases the risk of unwanted external actions and data handling.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill instructs collection of highly sensitive secrets such as WECHAT_APP_SECRET and API keys and says to store them in conversation context, without warning about sensitivity, retention, masking, or safer secret-storage mechanisms. Conversation context is often broader-lived and more exposed than a dedicated secret store, so compromise or accidental disclosure could enable unauthorized API use and account abuse.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document instructs use of AppSecret and an Unsplash Access Key but does not warn that these credentials must remain server-side and never be embedded in client-side code, logs, or public artifacts. In a skill that automates external publishing, mishandling these secrets could let an attacker publish content, consume quotas, or access connected third-party resources.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persists the WeChat access token to a predictable file in the user's home directory without setting restrictive permissions or warning the user. On multi-user systems, shared environments, backups, or compromised local sessions, this can expose a reusable credential that allows API actions against the connected WeChat account until expiry.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The tool downloads arbitrary remote image URLs and re-uploads their contents to WeChat, transmitting externally hosted content to a third party without explicit user notice or domain restrictions. In this skill context, article inputs and image URLs may come from automated content pipelines, making silent exfiltration of private/internal image resources more plausible if untrusted URLs are supplied.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal