ClawHub

Pyweixin Rpa

Security checks across malware telemetry and agentic risk

Overview

This does not look like malware, but it gives an agent broad control over a logged-in WeChat account and sensitive chat data, so it should be reviewed before use.

Install only if you intentionally want broad WeChat desktop automation on a Windows machine you control. Treat it as a high-trust tool: review scripts before use, run it in a dedicated environment if possible, require explicit user confirmation before sending/posting/calling/deleting/exporting, avoid unattended cron jobs for sensitive chats, and store any exported chats or media in a protected location with a cleanup plan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documented API includes account-administration and settings-changing operations such as blocking, deleting, changing privacy, and altering notification behavior that are not reflected in the skill's limited description. This hidden expansion of capability is dangerous because an agent or user may authorize the skill for benign chat automation without realizing it can perform irreversible account-management actions.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The package description focuses on messaging/files/moments/contacts automation, but this file also exposes broad account-administration capabilities such as logout, language/theme changes, notification settings, and download behavior changes. This is dangerous because downstream users or agents may grant trust based on the narrower manifest while the code can materially alter account state and client behavior.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code can add friends, delete friends, block/unblock users, change privacy, and edit remarks, but these relationship-management powers are not reflected in the stated skill purpose. Hidden social-graph modification features are high risk because they can irreversibly alter a user's account relationships and privacy posture under the guise of routine automation.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The module implements voice and video calling features, but the top-level skill metadata does not mention that capability. Omitting real-time communication actions expands the effective authority of the skill beyond user expectations and can trigger unwanted calls or harassment workflows.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The Log_out function can terminate the currently authenticated WeChat session, which is a disruptive account-level action unrelated to ordinary chat automation. In an agent setting, this can be abused for denial of service, workflow interruption, or forcing reauthentication at sensitive times.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs automatic dependency installation with pip on first use, which modifies the host Python environment and executes package installation logic without an explicit warning or confirmation step. This is risky because it changes the system state, may pull unpinned or compromised packages, and can have side effects beyond the skill itself.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill supports sending messages and files to WeChat contacts but does not clearly foreground that it can transmit user-provided content to external recipients. In a messaging automation context, accidental or unauthorized exfiltration of sensitive text, documents, images, or chat-derived data is a significant risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document explains a technique to expose and automate WeChat's internal UI by enabling Narrator before login, but it provides no warning about account suspension risk, privacy implications, or potential violation of platform terms. In the context of an automation skill specifically targeting a consumer messaging app's internals, omission of those cautions makes misuse more likely and increases the chance that operators will deploy invasive automation against personal messages, contacts, and files without informed consent or risk awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The API documents extraction of chat histories, recent messages, and contact/profile data, with options to print or save detailed results, but provides no privacy warning or consent requirements. This is dangerous because it facilitates bulk collection of sensitive personal communications and metadata that could be exfiltrated, retained insecurely, or processed beyond user expectations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documented save/export operations write chat media and files to local disk without warning that the resulting artifacts may contain sensitive personal or business data. This is dangerous because automation can create persistent unprotected copies outside the application's normal access controls, increasing exposure to other local users, backup systems, or malware.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation exposes destructive actions such as deleting friends and clearing chat history without strong cautionary language or confirmation requirements. This is dangerous because these operations may be irreversible and could be triggered by an agent misunderstanding, prompt injection, or operator error, causing account damage and permanent data loss.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Bulk contact/profile extraction functions enumerate large amounts of personal data, including profile fields and relationship metadata, without any in-band warning or consent checkpoint. This creates a privacy risk because a caller can silently harvest contact details at scale from an authenticated client session.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The chat history export routine can extract message contents, timestamps, and attachments and write them to local storage without a clear warning at execution time. In practice this enables silent conversation exfiltration from an already logged-in account, which is especially sensitive in a messaging client context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The media-saving functions can copy chat images and videos to disk without an explicit safety or privacy warning. Because messaging media often contains sensitive personal data, silent bulk export increases the likelihood of unauthorized retention or exfiltration.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
These helpers enumerate the currently logged-in WeChat account identifier and derive filesystem paths to local message/database storage. In an RPA/UI automation library this may be functional, but exposing account identifiers and sensitive data locations without consent prompts, access controls, or clear disclosure lowers the barrier for downstream code to inspect or exfiltrate private chat data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code can directly open folders containing WeChat messages, databases, chat files, and media via os.startfile. Even without reading files itself, surfacing and opening these locations exposes highly sensitive local data and can facilitate unauthorized browsing or secondary tooling access with no warning to the user.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The helper writes caller-supplied text into a predictable file name, LongText.txt, in the current working directory and then places that file on the clipboard. This can unintentionally persist sensitive data to disk, overwrite an existing file in the working directory, and leave residual artifacts without any warning to the user.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function automates sending arbitrary local files to the currently focused WeChat recipient with no explicit confirmation, preview, or user-facing disclosure at send time. In an RPA context, a caller bug, recipient mix-up, or misuse by another component can cause unintended exfiltration of local data through chat.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
This routine reads local audio files and plays them through the system output specifically to trigger WeChat voice-message capture and transmission, without any visible disclosure to the end user. That can leak sensitive local audio content or cause unintended messages to be sent if invoked unexpectedly or against the wrong chat window.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
When attachment saving is enabled, the code automatically saves selected chat-history media/files to a caller-supplied folder without any disclosure or confirmation. This can silently write potentially sensitive chat contents to disk, increasing exposure through local persistence, sync, backup, or later unauthorized access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal