ClawHub

weibo-qr-login-skill

Security checks across malware telemetry and agentic risk

Overview

This skill can fetch a Weibo QR login code, but it also changes global OpenClaw permissions and stores reusable Weibo login cookies in ways users should review carefully.

Install only in an isolated OpenClaw environment where you are comfortable with global tool/browser configuration changes, a gateway restart, and persistent local storage of Weibo session cookies. Review setup.sh and weibo_cookies.py before use, avoid the export command, and delete ~/.openclaw/data/weibo/cookies.json and meta.json when you no longer want the session preserved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The setup script sets `tools.profile` to `full` and clears `tools.deny` to an empty list, which broadly enables OpenClaw tool access far beyond what is needed to fetch a Weibo QR code. In the context of an agent skill, expanding global tool permissions increases the blast radius for misuse or compromise and violates least-privilege.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest describes a narrow QR-code login helper, but the installer changes global OpenClaw browser/tool settings and schedules a gateway restart. This scope mismatch is dangerous because it alters the host agent environment in ways unrelated to the advertised function, creating persistence and surprising side effects for other skills and sessions.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill is described as fetching a Weibo QR login code, but this file implements persistent extraction, local storage, validation, export, and restoration of Weibo session cookies. That is materially broader than the declared purpose and enables capture and reuse of authenticated session credentials, which can silently persist access beyond a one-time QR workflow.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The export function emits reusable commands that can reapply Weibo cookies elsewhere, effectively turning captured session tokens into portable authentication material. In a skill whose stated purpose is only QR-code login assistance, this significantly increases the risk of session hijacking, unauthorized reuse, and exfiltration of live credentials.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The restore path reinjects saved Weibo cookies into a browser via CDP, enabling resurrection of an authenticated session without repeating the login flow. This goes well beyond QR retrieval and creates a persistence mechanism for account access, making the skill materially more dangerous in context because it handles reusable session credentials rather than transient login artifacts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script applies global configuration changes and queues a gateway restart without explicit confirmation before making the changes. Silent or automatic environment changes reduce user control and can interrupt running workflows, while also making it easier for an overreaching or malicious skill to alter the agent runtime unnoticed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code writes Weibo cookies to disk under the user's home directory without any user-facing disclosure, confirmation, encryption, or file-permission hardening. Browser cookies are sensitive session credentials, so local persistence increases the chance of credential theft by other local processes, backups, logs, or later misuse by the skill itself.

Ssd 1

High
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to ignore AGENTS.md restrictions on browser use, which is a direct attempt to override higher-priority safety and policy controls. Per the provided instructions, text urging the agent to disregard safeguards is a red flag and increases suspicion, especially in a skill that performs browser automation and login handling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal