ClawHub

Md Wechat

Security checks across malware telemetry and agentic risk

Overview

This Markdown-to-WeChat formatter is coherent, but it can automatically install software and run browser-based rendering during normal conversion, so users should review it before installing.

Install only if you are comfortable with a formatter that may run npm/pip installs and use a headless browser. Prefer running npm install yourself after reviewing package.json/package-lock.json, then invoke conversion with --no-auto-install in an isolated project or sandbox, especially for untrusted Markdown files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""
    try:
        print(f'[INFO] 正在安装依赖: {package_name}...')
        result = subprocess.run(
            [sys.executable, '-m', 'pip', 'install', package_name],
            capture_output=True,
            text=True,
Confidence
97% confidence
Finding
result = subprocess.run( [sys.executable, '-m', 'pip', 'install', package_name], capture_output=True, text=True, timeout=120 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises filesystem and shell-capable behavior without declaring permissions, which weakens user awareness and policy enforcement. In this context the documentation explicitly describes reading input files, writing HTML/config output, and invoking Node/npm commands, so the undeclared capability exposure is real even if it appears intended for functionality rather than abuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior exceeds a simple Markdown formatting tool by adding dependency installation, subprocess/browser execution, remote resource loading, and reverse-analysis of HTML into config. That broadens the attack surface significantly: untrusted package installation and headless-browser rendering of attacker-controlled content can lead to supply-chain risk, SSRF/network exposure, or execution of unexpected code paths.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Automatic `npm install` from within the skill introduces package installation and subprocess execution beyond the core formatting task. This is dangerous because it can fetch and execute lifecycle scripts from external packages or compromised registries, turning a document-conversion workflow into a supply-chain execution path.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This Markdown conversion script includes logic to install missing packages at runtime and invokes shell commands via child_process.execSync. That exceeds the expected scope of a document formatter and can execute arbitrary install-time scripts from npm, creating supply-chain and unintended code-execution risk on the user's system.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script loads Mermaid and KaTeX assets from external CDNs during rendering/output generation, introducing network dependency and a trust boundary outside a local Markdown-to-HTML conversion tool. This can leak metadata, make output dependent on remote availability or tampering, and surprise users in restricted or offline environments.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill's stated purpose is Markdown-to-WeChat formatting, but it can perform runtime pip installs, which adds package management, network access, and code execution behavior outside that scope. In an agent/skill environment this is especially dangerous because document content can indirectly trigger dependency installation, turning a formatting operation into a software-modifying action.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The implementation exceeds the declared formatter scope by attempting to auto-install missing packages during import checks. That behavior changes the host environment and introduces external code retrieval where users would reasonably expect pure content conversion.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
Conversion behavior is influenced by user-supplied Markdown features, and detecting code fences, footnotes, or math can trigger dependency installation. This means untrusted content can cause the agent to modify its environment and potentially fetch and execute package installation code, which is far riskier than simple document transformation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly advertises 'automatic detection and installation of missing dependencies', which implies the tool may perform package installation and network access during normal operation. Even though this is documentation rather than executable code, failing to prominently warn users about implicit install behavior can lead them to run the tool in trusted environments where dependency execution and supply-chain risk are not expected.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly advertises automatic detection and installation of missing dependencies, but does not warn users that invoking the tool may cause package installation on their system. In a CLI skill intended for automation and CI/CD use, undocumented package installation expands the trust boundary, can surprise operators, and may enable supply-chain risk if registries or dependency resolution are compromised.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script automatically runs npm install when dependencies are missing, without a strong explicit consent prompt immediately before execution. In practice this means opening a Markdown file can trigger package installation and execution of package lifecycle scripts, which is a significant code-execution and supply-chain risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal