ClawHub

微盛企微管家SCRM

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real WeCom SCRM integration, but it needs review because it stores and exposes sensitive credentials while allowing broad business-data actions.

Install only if you trust the publisher and are comfortable giving this skill access to your WeCom SCRM data and write-capable workflows. Prefer a least-privilege APP KEY, avoid shared machines, do not enable SCRM_SKIP_SSL_VERIFY, treat uploaded files as potentially public, and rotate the APP KEY if it may have appeared in logs or transcripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (25)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises and appears to rely on powerful capabilities including environment access, file read/write, network access, and shell execution, but does not declare permissions or clearly bound those operations. In a skill that handles credentials and operational data, this weakens user consent and platform enforcement, making it easier for the agent to perform sensitive actions without transparent authorization boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is limited to SCRM business workflows, but the behavior described includes credential persistence, token caching/refresh, identity lookups, remote document retrieval, generic downstream API proxying, file upload, and even skill installation/linking. That mismatch is dangerous because users and reviewers may authorize a business data skill without realizing it can modify the local environment, reach arbitrary backend capabilities, or expand its own execution surface.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The runbook instructs the agent to recover an APP_KEY from persistent local storage and immediately execute an `export_hint` shell command containing the secret. This expands the skill from SCRM operations into local credential discovery and shell-side secret handling, creating risk of credential exposure, misuse, or exfiltration if the script output or environment is compromised.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill explicitly requires checking for and relying on general script execution capability before continuing. That grants the agent a broader local command-execution role than is strictly necessary for answering SCRM requests, increasing the blast radius if the skill, script, or surrounding context is manipulated.

Context-Inappropriate Capability

Low
Confidence
78% confidence
Finding
The documentation flow tells the agent to compose shell pipelines and invoke Python to parse remote content. Even though intended for controlled document retrieval, this still teaches and authorizes generic command chaining behavior that can be repurposed beyond the business need if other inputs become adversarial.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This environment-check function goes beyond validating prerequisites and actively reads credentials from shell profiles or the Windows registry. In an agent skill context, that broadens the trust boundary and enables silent collection of persistent secrets that the user did not explicitly provide for the current run.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The code not only restores the app key but returns the recovered secret value and embeds it into an export command string. That turns a local recovery helper into a plaintext secret disclosure path to downstream components, logs, or model-visible outputs.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This function adds a generic remote content retrieval capability that is broader than the stated SCRM business-management scope. Even though access is constrained to a single host, it still enables arbitrary path fetching from that domain and can be abused to pull unexpected content, expanding the skill's attack surface and creating a data-ingestion primitive that other components may misuse.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The module comments suggest controlled access to a trusted domain, but the implementation allows plain HTTP in addition to HTTPS. This permits man-in-the-middle tampering or observation of fetched content, undermining the trust assumptions around remote documentation or data consumed by the skill.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This function persistently writes the SCRM credential into Windows user environment variables or Unix shell profile files, modifying the host OS outside core SCRM business operations. That increases blast radius because a skill meant for CRM tasks gains the ability to alter local machine configuration and leave long-lived secrets accessible to other local processes and future sessions.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill exposes a remote document fetch capability that is not clearly necessary for customer/marketing management operations described in the skill metadata. Even with a comment claiming it is controlled, this adds content-retrieval capability that can be abused to pull external data into the agent workflow, expanding the attack surface beyond the stated SCRM purpose.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly instructs users to persist a personal APP KEY into shell configuration, which can expose the credential through dotfile leakage, backups, shell history, shared accounts, or overly broad file permissions. Because this skill interacts with customer-management and messaging data in an SCRM system, compromise of that token could enable unauthorized access to sensitive business and customer information.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README tells users to upload a local image and notes that a public URL will be returned, but it does not clearly warn that local file contents are being transmitted to a remote service and may become externally accessible. In an enterprise SCRM context, users may upload screenshots, customer materials, or internal marketing assets, creating a risk of unintended disclosure of confidential or personal data.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation rule is intentionally broad and can trigger even when the user does not explicitly mention the product or skill, which increases the chance of accidental invocation in ordinary enterprise customer-operations conversations. Because this skill appears to touch sensitive customer records, chat archives, and operational actions, over-triggering raises the risk of unnecessary data access and unintended side effects.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The runbook operationalizes collection, restoration, and reuse of APP_KEY credentials without an explicit secure-handling boundary or strong user-facing warning. Because the agent is told to process the secret in shell commands and environment variables, the credential may be exposed in logs, process listings, transcripts, or downstream tool output.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The example utterances are very broad and map to common business-language requests like checking customers, tags, follow-up records, or creating codes without requiring an explicit product mention or clear enterprise-WeChat/SCRM context. In an agent-routing system, this can cause the skill to activate on ordinary conversation and expose customer-management actions or data retrieval paths when the user did not intend to invoke this integration.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly promotes automatic local file upload and remote file download, but it does not warn that user-provided paths and URLs can cause data to leave the local machine or create local files. In an agent setting, that omission is security-relevant because the agent may perform network transfer or disk writes implicitly, increasing the risk of unintended exfiltration, SSRF-style fetches, or unsafe file handling.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The client allows TLS certificate verification to be disabled by setting the SCRM_SKIP_SSL_VERIFY environment variable, which enables silent man-in-the-middle interception of all API traffic. In this skill, the traffic includes app_key exchange and access_token-bearing requests to a customer-management platform, so disabling verification can expose credentials and sensitive customer data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Reading a credential from persistent storage without any explicit warning or consent creates a covert secret access path. In an agent environment, this can expose credentials to orchestration layers, telemetry, or future prompts that were never meant to receive them.

Missing User Warnings

Medium
Confidence
100% confidence
Finding
The recovered app key is placed directly into an export_hint string, which is likely to be surfaced to logs, UI, or downstream AI steps in plaintext. This materially increases the chance of credential leakage beyond the local process boundary.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script persists a personal access token in a local JSON cache file under .cache/access_token.json without any visible permission hardening, encryption, or user disclosure. If the host is multi-user, the workspace is shared, or the file is accidentally committed, backed up, or exfiltrated, the token can be reused to access the SCRM account and related customer-management data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Allowing TLS certificate verification to be disabled via environment variable creates a silent downgrade path for transport security. In environments where configuration can be influenced, an attacker could intercept or modify responses from the allowed host, and the fetched raw text may then affect downstream processing or agent decisions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code writes a credential-bearing export line into a shell startup file without any interactive confirmation or prominent warning about persistence. This is dangerous because users may not realize they are storing a long-lived secret in plaintext where it can be exposed through local compromise, backups, dotfile syncing, or later inspection.

Ssd 3

High
Confidence
99% confidence
Finding
Packaging a recovered secret into plain-language output for downstream AI use is especially risky because LLM pipelines commonly log, summarize, transform, or relay intermediate values. That creates multiple unintended disclosure channels for the app key.

Credential Access

High
Category
Privilege Escalation
Content
"user_id": cached.get("user_id") if cached else None,
                "cached": not args.force_refresh and cached is not None,
            }
            output_success("get_access_token", data, "获取 Access Token 成功")
    except ApiError as e:
        if args.raw:
            sys.exit(1)
Confidence
84% confidence
Finding
Access Token

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal