ClawHub

WeChat Article Publisher

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but it ships and persists WeChat publishing credentials/tokens in local files while also offering account-changing publish actions.

Review before installing. Replace the bundled config.json credentials with your own or remove the file, do not commit secrets, run --install only inside an isolated virtual environment, use --dry-run first, and understand that non-dry-run execution can upload local article content/images and create or submit posts through the configured WeChat account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if args.install:
        import subprocess
        subprocess.check_call([
            sys.executable, "-m", "pip", "install",
            "-r", str(Path(__file__).resolve().parent / "requirements.txt")
        ])
Confidence
95% confidence
Finding
subprocess.check_call([ sys.executable, "-m", "pip", "install", "-r", str(Path(__file__).resolve().parent / "requirements.txt") ])

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and documents capabilities to read local files, write preview/token cache files, access the network, and invoke installation commands, but it does not declare any permissions. This creates a transparency and consent problem: users and hosting platforms may underestimate the skill’s ability to access local content, persist sensitive tokens, and communicate with external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented purpose understates several materially relevant behaviors: persistent access-token caching, local preview generation, dependency installation via --install, and optional actual publish submission. These behaviors expand the trust boundary beyond simple draft creation and can surprise users into granting broader filesystem, network, and execution effects than expected.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Including package-install capability in a content-publishing skill is an unnecessary privileged action that broadens the attack surface. It enables environment modification unrelated to publishing and may lead to arbitrary code execution through dependency installation, especially if requirements are changed or a compromised package is introduced.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly instructs users to place sensitive WeChat credentials such as app_id and app_secret into a local config.json file, but provides no guidance on secure storage, access control, or exclusion from version control. This creates a realistic risk of accidental credential disclosure through repository commits, logs, backups, or shared skill directories, which could enable unauthorized access to the associated WeChat account APIs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill clearly sends article bodies, local images, and API credentials/tokens to WeChat endpoints, but it does not prominently warn users that local content is uploaded to a third-party service. In a publishing workflow this is expected, but without explicit disclosure users may unintentionally transmit sensitive unpublished content or secrets derived from local files and configuration.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script caches the WeChat access token to .token_cache.json on disk without warning the user or restricting file permissions. On multi-user systems or shared workspaces, another local user or process could read the token and interact with the associated WeChat account until expiry.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Running pip from the script without a strong warning can unexpectedly modify the interpreter environment and trigger code execution during package installation. This is especially risky in agent or automation contexts where users may not realize the script changes the host outside the publishing task.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal