ClawHub

Markdown 发布为微信公众号草稿(wenyan-cli;主题、代码高亮)。公众号发布。

Security checks across malware telemetry and agentic risk

Overview

This WeChat publishing skill is purpose-aligned, but first use may automatically make a persistent global npm install while using account credentials.

Install only if you are comfortable with this skill creating WeChat drafts and potentially changing your machine by installing a global npm package. Prefer installing a reviewed/pinned wenyan-cli yourself first, keep WECHAT_APP_SECRET out of Git and shared dotfiles, and verify the exact Markdown file, images, and resulting draft before publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"{RED}wenyan-cli 未安装!{NC}")
        print(f"{YELLOW}正在安装 wenyan-cli...{NC}")
        try:
            subprocess.run(
                ["npm", "install", "-g", "@wenyan-md/cli"],
                check=True,
                capture_output=False,
Confidence
87% confidence
Finding
subprocess.run( ["npm", "install", "-g", "@wenyan-md/cli"], check=True, capture_output=False, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill clearly instructs the agent to use environment variables and execute shell commands (`python scripts/publish.py`, `npm install -g @wenyan-md/cli`) but does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: a caller or platform may not realize the skill can access secrets and run commands, increasing the chance of unintended credential exposure or unsafe command execution.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Auto-installing a global npm package gives the skill package-management and persistent system-modification capability unrelated to the narrow task of publishing a document. In a security-sensitive agent context, this is dangerous because it can execute unreviewed install scripts and alter the environment without an explicit trust boundary.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script reads credentials from a hard-coded file in the user's home workspace, expanding its access from publishing a provided markdown file to harvesting secrets from unrelated local data. In an agent skill context, hard-coded secret discovery paths are especially risky because they normalize unauthorized credential collection from ambient files.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill states that `publish.py` may obtain `WECHAT_APP_ID` and `WECHAT_APP_SECRET` from `TOOLS.md`, which is a sensitive credential source, without an explicit warning or consent step. This is dangerous because it normalizes silent credential retrieval from workspace files and could cause secrets to be accessed, reused, or exposed in logs or downstream tooling without the user's informed approval.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal