ClawHub

uniapp-expert

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent uni-app and WeChat Mini Program testing toolkit, but some testing utilities collect or print more runtime/device/app data than their names and documentation clearly disclose.

Review before installing if you will use this against apps containing real user data. Use only test projects or sanitized test accounts, avoid entering real credentials into form scenarios, and be aware that screenshots, reports, page data, route information, and device/system details may be written to local files or printed in logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env = os.environ.copy()
            if "NODE_PATH" not in env:
                try:
                    npm_global = subprocess.run(
                        "npm root -g",
                        capture_output=True, text=True, timeout=10,
                        shell=True,
Confidence
84% confidence
Finding
npm_global = subprocess.run( "npm root -g", capture_output=True, text=True, timeout=10, shell=True,

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documents operational capabilities that imply environment access, filesystem interaction, network use, and shell command execution, but it does not declare any permissions or constraints for those actions. This is dangerous because users and enforcement layers cannot accurately understand or gate the skill's real power, enabling unintended command execution, file access, or network activity during use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The description presents the skill as a general uni-app development expert, but the content includes concrete instructions for controlling WeChat DevTools, opening automation ports, navigating pages, clicking elements, taking screenshots, extracting application data, and exporting reports. This mismatch is risky because it can hide materially more invasive automation behavior than a user would expect from the declared purpose, increasing the chance of unauthorized local tool control and sensitive data capture.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The method advertised as a console log reader also collects current page routes and full device/system information via getCurrentPages() and wx.getSystemInfoSync(). That exceeds the stated purpose and can expose environment details and app navigation context without clear necessity or consent, increasing privacy and data-minimization risk.

Description-Behavior Mismatch

Medium
Confidence
78% confidence
Finding
The module exposes get_wxml and get_data methods that can inspect broad page structure and runtime state, exceeding narrow click/input/screenshot-style interaction. In test tooling this may be legitimate, but it still increases data exposure because page data can contain tokens, PII, or internal state not necessary for many test cases.

Context-Inappropriate Capability

Medium
Confidence
73% confidence
Finding
The code returns broad system/runtime information via getSystemInfo(), which is unrelated to the stated core interactions and may disclose host or environment details. In an automation skill this is less severe than direct credential theft, but it still expands the observable attack surface and can aid fingerprinting.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The persistence example explicitly stores an authentication token in browser storage via a Pinia persistence plugin. In real applications, persisting tokens in sessionStorage or localStorage increases exposure to token theft through XSS, browser extensions, shared-device access, or accidental leakage, and the documentation does not warn readers about those tradeoffs.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The automation script collects and may export system information without any clear user-facing warning, despite the tool being described as a console log reader. In an agent skill context, this mismatch is more dangerous because users may authorize log inspection but not expect device/environment fingerprinting or route collection.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The performance collection path gathers wx.getSystemInfoSync() alongside performance data without explicit disclosure or consent controls. This creates unnecessary privacy exposure and can reveal host/device characteristics unrelated to the user's expectation of simple performance metrics.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The form submission scenario includes the supplied form_data verbatim in the returned result object, and the script also prints results as JSON. In a testing context, this can expose credentials, emails, tokens, or other sensitive test inputs to logs, consoles, CI artifacts, or output files, which is a genuine data-handling weakness even if the code is intended for automation.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal