ClawHub

微信公众号文章解析

Security checks across malware telemetry and agentic risk

Overview

This WeChat article extractor has a real code-execution risk when parsing pages and includes an unrelated Claude settings file that broadens tool access.

Review before installing. Use only in a sandbox or low-privilege environment, avoid processing arbitrary links or pasted HTML, remove the bundled .claude/settings.local.json unless you intentionally want those MCP servers enabled, and prefer a version that parses WeChat metadata without new Function/eval and validates the actual URL hostname.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The extractor builds and executes JavaScript recovered from untrusted article HTML with `new Function`. Even though the goal is metadata extraction, this grants attacker-controlled pages code-execution inside the Node.js process, which is far beyond parsing and can lead to arbitrary code execution, data access, or process compromise depending on available globals and module reachability.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This code repeatedly evaluates individual script lines from fetched WeChat pages to recover fields such as `biz`, `mid`, and related metadata. Because the HTML is attacker-influenced input, even line-scoped evaluation is unsafe: crafted script content can escape assumptions and execute arbitrary JavaScript in the host environment.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The skill reconstructs substantial script blocks from remote HTML and executes them to derive metadata for multiple content types. Executing larger attacker-controlled blocks materially increases exploitability because complex payloads can be embedded, making this effectively remote code execution triggered by processing a URL or HTML input.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README states that Claude will automatically trigger this skill whenever a user provides a WeChat article link, but it does not define meaningful guardrails, consent requirements, or scope limits. Broad auto-invocation can cause the agent to fetch and process untrusted external URLs too eagerly, increasing exposure to prompt-injection-style content, unexpected network access, and unintended handling of third-party data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal