ClawHub

微信收藏知识库

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its WeChat favorites purpose, but it includes under-disclosed bulk WeChat database decryption using memory-extracted keys and persistent decrypted copies.

Install only if you are comfortable with a tool that can locate WeChat database storage, consume memory-extracted database keys, decrypt and persist local WeChat database copies, and optionally send favorite metadata to LLM, Notion, or IMA services. Prefer supplying an explicit already-parsed favorite.db, avoid running decrypt_db.py unless you intend broad local decryption, use SAFE_MODE for offline work, and review any LLM or export payload before enabling network integrations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation describes use of environment variables, local file access, file writes, and optional network operations, but no explicit permissions are declared. That creates a transparency and consent problem: users or hosting platforms may invoke a skill with broader capabilities than expected, including reading local databases, writing exports, and sending content to external APIs when optional features are enabled. In a data-handling skill focused on personal WeChat favorites, undeclared capabilities materially increase privacy risk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior says the tool works from an already parsed favorite.db, but the analyzed behavior indicates it auto-discovers WeChat directories, processes multiple .db files, reads sensitive key material from all_keys.json, and decrypts encrypted SQLCipher databases. This is a significant scope expansion beyond the stated purpose and can expose far more user data than expected, especially because key discovery and bulk database processing touch sensitive local artifacts. The mismatch undermines informed consent and makes accidental over-collection and unintended data exposure much more likely.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The loader does more than read a user-supplied parsed database path: it enumerates local WeChat configuration files and probes account storage directories to discover live data locations automatically. In a privacy-sensitive skill dealing with chat/favorites data, this broadens access scope and can cause the tool to inspect unintended accounts or local artifacts without explicit user consent, increasing the risk of over-collection.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file is explicitly a WeChat database decryptor and states it uses per-database keys extracted from process memory to decrypt SQLCipher-protected databases. That capability goes well beyond the stated skill purpose of exporting records from an already parsed favorite.db and enables unauthorized recovery of protected user data from encrypted local stores.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script depends on keys obtained by another tool that extracts encryption keys from process memory, which is a credential/secret extraction technique rather than normal application interoperability. In the context of a content export skill, this materially increases the risk of unauthorized access to encrypted databases and suggests deliberate circumvention of application data protections.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script recursively enumerates and attempts to decrypt every .db file under the configured database directory, not just a favorites database needed for the advertised task. This broad collection behavior expands access from a narrow export utility to bulk decryption of unrelated databases, increasing the chance of privacy violations and unauthorized data exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The changelog explicitly states that 500 sampled user favorite titles are sent to an LLM for category discovery, but this file does not present a clear warning about third-party data transfer, privacy implications, or the need for explicit consent at the point where the feature is introduced. Because the skill processes personal user content and the LLM step appears as a workflow default within the documented feature path, users may enable it without understanding that private data leaves the local environment.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrases include broad everyday wording such as asking for help organizing WeChat favorites, which can cause the skill to activate unintentionally in contexts where the user did not mean to start a database export or classification workflow. For a skill that may read local files and optionally send content to external services, accidental invocation increases the chance of unintended data access or disclosure. The danger is moderated by the domain relevance, but the sensitivity of the data still makes broad triggers undesirable.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This script sends sampled WeChat favorite titles and source accounts to an external LLM service, which can expose sensitive personal, work, or proprietary reading-history data to a third party. Although the metadata says network features are optional and SAFE_MODE exists, this file provides no explicit user-facing consent prompt, redaction, or transmission warning at the point of export, making accidental privacy leakage plausible.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When LLM reclassification is enabled, the script packages article metadata such as `title`, `source_account`, and `url` and sends it to `llm_classify_batch`, which may call an external service. Because this operates on WeChat favorites data that can contain sensitive personal or business information, users may unintentionally exfiltrate metadata without an explicit transmission warning or confirmation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This script transmits locally stored WeChat favorites, including article metadata and possibly content, to Notion's remote API. Although the network behavior is part of the script's stated purpose, the actual execution path only logs that export is starting and does not present a clear runtime consent or privacy warning before sending third-party data off-device, which can lead to unintended disclosure of sensitive personal content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The module sends article title and source metadata to an external LLM API, which can expose potentially sensitive user content to a third party. In the context of a WeChat favorites export/classification tool, collected items may contain private reading habits, organizational sources, or confidential topics, so silent transmission increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends article metadata derived from a user's WeChat favorites to an external LLM endpoint using `urllib.request.urlopen`, but the script itself provides no explicit runtime disclosure, consent prompt, or per-record warning before transmission. In this skill's context, the data being classified may contain sensitive reading habits, account names, titles, and URLs, so silent export to a third-party model provider creates a real privacy and compliance risk even if the network feature is described elsewhere as optional.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal