ClawHub

WeRead Import

Security checks across malware telemetry and agentic risk

Overview

This WeRead exporter appears purpose-built, but its browser fallback can start a persistent debug Chrome session and legacy mode can copy sensitive Chrome login data.

Prefer the default Gateway API-key mode. Install only if you are comfortable granting access to your WeRead account data and writing into the chosen notes directory. Avoid WEREAD_PROFILE_SYNC_MODE=legacy unless you accept duplicating sensitive Chrome profile files, and close the managed Chrome/CDP session after browser-mode use.

Publisher note

weread-import 是一个微信读书笔记导出工具,用于把用户自己账号中的划线、想法和书籍元信息导出为本地 Markdown 文件,常用于 Obsidian 阅读目录。 默认运行路径使用微信读书官方 Gateway:请求 https://i.weread.qq.com/api/agent/gateway,并通过用户自行配置的 WEREAD_API_KEY 鉴权。网络访问只用于获取微信读书笔记数据;工具不会上传用户笔记、Cookie、API Key 或本地文件到第三方服务。 旧版兼容路径仅在用户显式选择 --no-gateway、--cookie、--cookie-from browser-live 或 --cookie-from browser-managed 时使用。该路径会访问 weread.qq.com / 微信读书相关接口,并可能通过 Playwright 连接 Chrome CDP 读取 weread.qq.com 域名下的登录 Cookie。browser-managed 会启动独立受管 Chrome profile 并打开微信读书登录页;默认不复制用户默认 Chrome 的完整登录态。browser-live 只连接用户已启动的外部调试 Chrome,不会自动启动浏览器。 文件写入仅发生在用户指定的 --output / WEREAD_OUTPUT 目录中,内容为 Markdown 文件和同步状态文件 .weread-import-state.json。工具会读取同目录已有 Markdown 和状态文件,用于增量合并、保留已有内容、归档已删除条目。不会扫描或修改输出目录之外的用户文件。 运行入口是 scripts/run.sh。首次运行时如 node_modules 不存在,会执行 npm install --production 安装唯一运行时依赖 playwright。项目为 ESM Node.js CLI,主要源码位于 src/,测试使用 Node.js 内置 node:test。

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to execute shell commands such as `bash ./scripts/run.sh ...`, but it does not declare corresponding permissions. This creates a capability mismatch: users and policy systems may not realize the skill can run local commands, install dependencies, launch browsers, and write files, which increases the risk of unintended command execution and weakens security review boundaries.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The CLI explicitly documents that agents should not switch to the Cookie/web path unless the user chooses the legacy flow, yet `main()` automatically falls back to `runWebBackend()` when the Gateway is unavailable. In an agent setting, this changes the authentication mechanism and may launch or attach to a browser session to harvest cookies without an explicit user decision, violating the intended trust boundary and potentially exposing browser login state.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script explicitly copies Chrome credential-related state files such as Cookies, Login Data, and Local State into a separate profile directory, which duplicates sensitive authentication material on disk. In this skill's context, that behavior is directly tied to reusing an existing browser login for WeRead export, so the risk is real: the copied profile may persist longer than expected, inherit weaker permissions, or be accessed by other local processes/users, increasing the attack surface for session theft or privacy compromise.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal