ClawHub

Wechat Mcp

Security checks across malware telemetry and agentic risk

Overview

This WeChat automation skill has a legitimate purpose, but it can send messages from the user's logged-in desktop session without recipient verification or confirmation and leaves chat screenshots on disk.

Install only if you are comfortable letting an agent control your active WeChat window and send from your logged-in account. Keep the intended chat selected, require manual confirmation before sending, delete generated screenshot files after use, and prefer a version that verifies recipients, preserves the clipboard, keeps PyAutoGUI FAILSAFE enabled, and avoids saving screenshots by default.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The tool description says it can send messages to a specified contact, but the implementation sends to whichever WeChat chat window is currently active or heuristically selected. In an MCP/agent setting, this can cause messages to be delivered to the wrong recipient, creating privacy leaks, misdelivery of sensitive data, or unintended actions without a reliable recipient-binding check.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code captures and saves screenshots of the chat window and later input/send states to local files, which may include private conversations, contact names, and message contents unrelated to the immediate task. Persisting these artifacts to disk expands the exposure surface and can leak sensitive information to other local users, logs, backups, or later processes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill description lacks a prominent warning that automating WeChat message sending and window interaction can affect user privacy, expose chat contents, and transmit personal data. In this context, the omission increases risk because the skill operates on a messaging application, where screenshots, message content, and contact interactions are inherently sensitive.

Missing User Warnings

High
Confidence
97% confidence
Finding
The function copies arbitrary message content into the system clipboard, pastes it into the UI, and later sends it without any runtime confirmation or safety interlock. In an agent-controlled context, this enables unintended outbound communication, clipboard clobbering, and accidental exfiltration if the wrong window is focused or if the requested content is sensitive.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Saving screenshots of chat windows to disk without clear disclosure or necessity can capture private message history and user-identifying information. Because the files are stored locally as normal image artifacts, they may persist beyond the session and be accessible to unintended parties or software.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyautogui>=0.9.54
pygetwindow>=0.0.9
pytesseract>=0.3.13
Pillow>=12.1.0
Confidence
93% confidence
Finding
pyautogui>=0.9.54

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyautogui>=0.9.54
pygetwindow>=0.0.9
pytesseract>=0.3.13
Pillow>=12.1.0
pyperclip>=1.11.0
Confidence
93% confidence
Finding
pygetwindow>=0.0.9

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyautogui>=0.9.54
pygetwindow>=0.0.9
pytesseract>=0.3.13
Pillow>=12.1.0
pyperclip>=1.11.0
opencv-python>=4.13.0
Confidence
92% confidence
Finding
pytesseract>=0.3.13

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyautogui>=0.9.54
pygetwindow>=0.0.9
pytesseract>=0.3.13
Pillow>=12.1.0
pyperclip>=1.11.0
opencv-python>=4.13.0
Confidence
95% confidence
Finding
Pillow>=12.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pygetwindow>=0.0.9
pytesseract>=0.3.13
Pillow>=12.1.0
pyperclip>=1.11.0
opencv-python>=4.13.0
Confidence
92% confidence
Finding
pyperclip>=1.11.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pytesseract>=0.3.13
Pillow>=12.1.0
pyperclip>=1.11.0
opencv-python>=4.13.0
Confidence
95% confidence
Finding
opencv-python>=4.13.0

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
90% confidence
Finding
Pillow

Known Vulnerable Dependency: opencv-python — 10 advisory(ies): CVE-2017-12864 (Integer Overflow or Wraparound in OpenCV); CVE-2017-12598 (Out-of-bounds Read in OpenCV ); CVE-2019-14493 (NULL Pointer Dereference in OpenCV.) +7 more

High
Category
Supply Chain
Confidence
88% confidence
Finding
opencv-python

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal