ClawHub

WeChat to IMA

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but it parses web pages by executing code from fetched page content while IMA credentials are available.

Install only if you trust the publisher and need this IMA import workflow. Use narrowly scoped IMA credentials where possible, run it only on links you trust, and be aware that it may leave a markdown copy in the temp directory. A safer version should strictly validate WeChat/Sogou hosts, remove dynamic evaluation of page scripts, and clean up temporary files after upload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
process.exit(1);
}});
"""
    res = subprocess.run(['node', '-e', js], capture_output=True, text=True)
    if res.returncode != 0:
        fail(res.stderr.strip() or 'extract failed', 4)
    try:
Confidence
93% confidence
Finding
res = subprocess.run(['node', '-e', js], capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation describes capabilities to read environment variables and local credential files, write files, access the network, and invoke shell commands, but it does not declare permissions or constrain those capabilities. This creates an over-privileged, opaque skill surface where secrets such as IMA API credentials could be accessed and external content fetched or persisted without clear permission boundaries.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The extractor fetches attacker-controlled HTML from external WeChat/Sogou pages and then evaluates script-derived content with new Function. Even though it tries to sandbox into local variables, this still grants code-execution semantics over untrusted input and can lead to denial of service, parser breakouts, or unintended access to globals/process depending on crafted payloads and runtime behavior. In an article archival skill, executing remote page JavaScript is not necessary and materially increases risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This block repeatedly extracts lines from remote scripts and executes them to recover fields like biz, sn, mid, idx, and other metadata. Because the source page is untrusted network content, this creates an unnecessary code-evaluation path that an attacker could abuse to crash the process, trigger unexpected behavior, or exploit any escape from the assumed sandbox. The skill only needs article metadata for saving to IMA, so this capability is unjustified by context.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code assembles a larger JavaScript program from fetched page script content and runs it with new Function to obtain post metadata. This is dangerous because it treats remote content as executable code, expanding the attack surface well beyond simple HTML parsing and enabling untrusted input to influence runtime execution. For a save/import workflow, this is more dangerous because users expect passive extraction, not code interpretation of third-party pages.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The skill always writes the extracted article body to a predictable temp-directory markdown file and returns that path, creating a local data residue and filesystem disclosure issue beyond simply saving to IMA. In a multi-user or monitored environment, this can expose sensitive article content and local path information even when the user only intended remote import.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Extracted article content is persisted locally without any explicit user-facing notice, which creates an undisclosed storage side effect and possible privacy/data-retention issue. This is more concerning in this skill context because users are asking to save content to IMA, not necessarily to leave a separate local copy behind.

Known Vulnerable Dependency: qs==6.15.0 — 1 advisory(ies): CVE-2026-8723 (qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/u)

Low
Category
Supply Chain
Confidence
80% confidence
Finding
qs==6.15.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal