ClawHub

Weixin Plugin Installer

Security checks across malware telemetry and agentic risk

Overview

This skill performs an admin WeChat plugin setup workflow that is sensitive but disclosed and aligned with its purpose.

Install this only if you administer the OpenClaw instance, trust the Tencent WeChat plugin being installed, and are comfortable linking a WeChat account by QR code. Use it only in a private admin chat, do not expose QR outputs in groups, and expect a brief gateway interruption after successful connection.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill directs the agent to read QR/text artifacts and generate PNG/TXT/JSON outputs, which implies file read/write capability, but it declares no corresponding permissions. This creates a trust and policy gap: a host may permit the skill under the assumption it is low-privilege while it actually handles local files that can contain sensitive login state or QR data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior understates what the skill actually enables: plugin installation/enablement, login initiation, QR generation from logs, and a planned gateway restart are materially more sensitive than simple status/refresh operations. This mismatch can mislead reviewers and operators, causing them to approve a skill that changes system state, exposes authentication artifacts, and can interrupt service availability.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The script creates a detached background job that unconditionally runs `openclaw gateway restart`, which is a privileged operational action outside the stated scope of installing a WeChat connector and managing QR codes. In this skill context, an undocumented restart capability is especially dangerous because it can disrupt unrelated services, hide side effects behind delayed execution, and surprise users or operators who only intended QR-management actions.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The script manages persistent state, tracks background PIDs, and schedules a delayed service restart using `nohup`, all of which materially expand the skill's capability beyond QR and connector management. In context, this makes the skill more dangerous because it can continue acting after the initiating interaction ends, enabling disruptive behavior that is harder for users to see, correlate, or cancel reliably.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly describes installing/enabling a plugin and later performing an asynchronous `openclaw gateway restart`, but it does not clearly warn the administrator that this changes infrastructure state and can interrupt message handling or temporarily disrupt service. In this skill context, the risk is real because the gateway is part of the active chat path, so a restart or reload at the wrong time can break availability, confuse operators, or trigger unintended operational impact.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script writes PID and log files and triggers a delayed gateway restart without any embedded warning, confirmation, or indication of user consent. In a skill advertised for installation and QR handling, silent operational side effects increase the risk of accidental denial of service, confusing system behavior, and unauthorized changes triggered by normal-looking chat commands.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal