ClawHub
Back to skill

Security audit

微信公众号文章处理器

Security checks across malware telemetry and agentic risk

Overview

This skill openly does what it claims: it turns user-provided WeChat article links into Feishu documents, with no hidden code behavior found.

Install this only if you want WeChat article content saved into your Feishu account. Use it on links you trust, avoid sensitive or login-gated content unless you have authorization, and be aware that sending a matching link may create a cloud document without a separate confirmation step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are broad enough that the skill may auto-activate from casual mentions of WeChat articles, causing unintended browsing and transmission of article content to Feishu. In an agent environment, ambiguous auto-triggering increases the chance of acting without clear user intent or informed consent, especially when third-party services are involved.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The automatic activation logic says the skill runs whenever the user sends a public-account link, but it does not require confirmation, destination selection, or acknowledgment that content will be copied to Feishu. This can lead to unintended exfiltration of article text and metadata to a third-party document platform based solely on message content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow explicitly extracts full article content and metadata, then creates a Feishu document, but the skill does not warn users that this information will be transmitted to and stored by a third-party service. This lack of transparency can cause privacy, confidentiality, or compliance issues if users process sensitive or access-controlled content.

VirusTotal

No VirusTotal findings

View on VirusTotal