ClawHub

WeChat MP Plus

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do the advertised WeChat account automation, but it needs review because it can change a live account and modifies local Python state with weak safeguards.

Install only if you control the target WeChat Official Account and are comfortable reviewing commands before they run. Use an isolated Python environment, preinstall dependencies yourself, protect the AppID/AppSecret and .secrets file, avoid destructive menu or draft deletion commands unless you have verified the target account and IDs, and treat the temp access-token cache as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import markdown
except ImportError:
    import subprocess
    subprocess.check_call([sys.executable, "-m", "pip", "install", "markdown", "-q", "--break-system-packages"])
    import markdown

THEMES_DIR = os.path.join(os.path.dirname(__file__), "..", "themes")
Confidence
96% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "markdown", "-q", "--break-system-packages"])

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Auto-installing a package via pip expands the script's capabilities beyond local Markdown conversion into package management and external dependency retrieval. In a skill context, this is risky because execution can trigger unexpected network access and installation of code from package indexes without informed consent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are broad and include common terms such as “微信公众号”, “wechat mp”, and “publish article”, which can overlap with ordinary user discussion rather than an explicit request to invoke the skill. This can cause unintended activation of a skill that performs publication and account-management actions, increasing the chance of accidental API operations against a live WeChat public account.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Installing a Python package automatically without warning or confirmation is unsafe because it modifies the host environment and may execute untrusted installation-time code. The use of --break-system-packages further increases risk by bypassing protections intended to preserve system Python integrity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script automatically uploads Markdown content, embedded local images, and a cover image to external WeChat services, but it provides no explicit consent prompt, data disclosure notice, or scope limitation before transmission. In an agent/skill context, this can cause unintended exfiltration of sensitive local files or unpublished content if the user does not fully understand that local assets referenced in the Markdown will be sent off-device.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script persists the WeChat access token to a predictable file in the system temp directory without setting restrictive permissions or warning the user. On multi-user systems or environments where temporary files are broadly readable, this can expose a live API credential that allows access to the associated public account APIs until expiry.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal