ClawHub

WeChat Auto Publisher

Security checks across malware telemetry and agentic risk

Overview

This skill mostly generates WeChat article drafts, but its documentation asks for publishing secrets and implies live auto-publishing even though the code does not implement publishing.

Treat this as a draft-generation and trend-scraping tool, not a working WeChat publisher. Do not add WeChat app secrets until publishing is actually implemented and reviewed, keep any .env file out of version control, expect outbound requests to the listed content sources and DashScope, manually review generated drafts, and leave autoPublish disabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares use of environment variables and network access in the documentation, but no explicit permissions are declared. This weakens transparency and consent because the agent may access secrets and contact external services without a clear permission boundary, which is especially relevant for a content automation skill that pulls remote data and uses API keys.

Tp4

High
Category
MCP Tool Poisoning
Confidence
85% confidence
Finding
The documented behavior promises end-to-end publishing automation, but the analyzed behavior reportedly includes broader scraping/data collection and lacks the claimed publish implementation. This mismatch is dangerous because users may grant trust or provide credentials based on the stated purpose while the skill performs additional external collection not clearly disclosed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to place API keys and app secrets in a .env file but does not warn that these credentials are sensitive or should be excluded from version control. In practice, users frequently commit .env files accidentally, which can leak LLM API keys and WeChat application secrets and enable unauthorized API use or account abuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Documenting autoPublish: true without a prominent warning about publishing to a live public WeChat account increases the risk of unintended public posting. In the context of an automation skill, a user may enable it during testing and accidentally publish AI-generated or unreviewed content, causing reputational and operational harm.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger conditions include broad, common phrases such as references to public accounts, AI writing, or hot-topic monitoring, which can cause accidental invocation. In an automation skill with network activity and content generation, overbroad triggering increases the chance of unintended execution and unexpected external requests.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises automatic publishing capabilities without clearly warning that publishing can affect account state, reputation, rate limits, and possibly content compliance obligations. In the context of a WeChat/publication workflow, unclear warnings can lead users to enable automation without understanding the operational and account-security consequences.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
This module makes outbound requests to several third-party services without any visible consent, disclosure, or control surface for the user. Even if no obvious secrets are sent in request bodies, the use of external services leaks metadata such as the host's IP, timing, user-agent, and operational behavior, and can surprise users who expect a local-only publishing workflow.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal