ClawHub

微信MCP

Security checks across malware telemetry and agentic risk

Overview

This WeChat automation skill is related to its stated purpose, but it can send messages from the user's live WeChat session without reliable recipient confirmation and leaves local screenshots of chat UI behind.

Install only if you are comfortable letting an agent control your desktop WeChat session and send messages as you. Keep WeChat on the intended chat before use, review the exact message externally before invoking the tool, avoid using it around sensitive conversations, and delete generated screenshot files after testing or sending.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documentation presents the skill as WeChat message monitoring/sending, but the described behavior also includes screenshot capture, local image persistence, and desktop window enumeration. Those capabilities increase data exposure beyond the declared purpose and can leak sensitive chat content, contact names, and screen metadata without clear disclosure or minimization.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The code captures the active WeChat chat area and saves it to disk as last_chat.png, which collects message content beyond the stated capability of monitoring and sending messages. Persisting chat screenshots creates an unnecessary local data residue risk because sensitive conversations may be exposed to other local users, backups, or later exfiltration by unrelated software.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The test routine sends a message to whichever chat is currently open, rather than verifying or selecting an intended recipient. In a UI-automation messaging tool, this can easily cause misdelivery to the wrong person or group, leading to privacy, reputational, or operational harm.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The code prints titles, sizes, and coordinates for all visible large windows on the system rather than limiting itself to WeChat. Window titles often contain sensitive information such as document names, chat previews, or application context, so this creates unnecessary system-wide information disclosure beyond the skill's stated purpose.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This code performs blanket desktop window discovery and captures metadata for unrelated applications, which is broader than required for monitoring or sending WeChat messages. In the context of an agent skill, such system-wide discovery can be used to profile user activity and expose sensitive application usage without clear necessity.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The code captures a portion of the WeChat UI and persists it to contact_name.png for later inspection, which goes beyond simply sending a message. Persisting screenshots of chat UI can expose contact names and message content to other local processes or users, creating an unnecessary privacy and data-leakage risk.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The status API returns the raw window title plus exact screen position and size, which exceeds the stated purpose of message sending/status and may reveal contact names or other sensitive UI context. While lower severity than screenshot capture, it broadens data exposure without a clear need.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The function overwrites the system clipboard with the outgoing message before pasting it into WeChat. This can destroy the user's prior clipboard contents and may expose sensitive copied data or interfere with other applications, especially because clipboard manipulation is not clearly disclosed by the skill description.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill automates sending WeChat messages on the user's behalf, but the documentation does not clearly warn that it can activate the client and transmit messages as the user. Without an explicit warning, users may invoke it without understanding the impersonation and accidental-message risks inherent in UI automation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatic contact identification from the current window title can misidentify the intended recipient, especially with multiple chats, group chats, truncated titles, or stale window focus. In this context, a mis-send can disclose sensitive information to the wrong person and is particularly dangerous because the skill performs real messaging actions on a live communication platform.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Writing a screenshot of chat contents to disk without notice or consent silently persists potentially sensitive personal or business communications. Even if intended for debugging, undisclosed local storage increases the risk of unauthorized access, accidental sharing, and retention beyond the user's expectations.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill automatically clicks into the input box, pastes arbitrary content, and sends it via Enter without any user confirmation, preview, or safety interlock. In an agent setting, this enables unintended or prompt-influenced message transmission to the wrong recipient, creating a high risk of privacy breaches, spam, or social engineering through the user's account.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code saves a screenshot of the chat window to verify.png, which may contain private conversations, contact information, and other sensitive UI elements. Writing such screenshots to disk without explicit notice or consent increases the chance of unintended retention and disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code captures part of the WeChat window and writes the screenshot to disk as wechat_contact_area.png without any explicit consent, warning, or data-handling controls. Because the image may contain contact names or other private UI content, it creates a local sensitive-data exposure risk through residual files, unintended sharing, backup/sync leakage, or access by other local processes/users.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal