ClawHub

Wechat Fetch Publish

Security checks across malware telemetry and agentic risk

Overview

This WeChat article downloader appears purpose-aligned, but it uses persistent authenticated browser state and weakened browser security settings without enough scoping or user warning.

Install only if you are comfortable with a tool that makes outbound requests, saves third-party article content and images locally, and may retain logged-in browser session data. Prefer no-login or ephemeral-session use where possible, restrict URLs to trusted WeChat pages, choose a dedicated output directory, and clear any saved browser profile or cookies after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises network access plus local file read/write behavior, but the manifest does not declare any permissions or equivalent capability disclosure. That creates a transparency and trust problem: users or platforms may invoke a tool that can fetch remote content and write it locally without clear consent boundaries. In this context, the risk is increased because the skill explicitly supports batch downloading and local storage of articles and images.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The tool stores browser state in a persistent profile under the user's home directory when not using no-login mode, which can retain cookies and session data beyond the immediate scraping task. For a skill described as an article fetcher, persisting authentication material increases exposure if the local profile is reused, inspected, or exfiltrated later, even if this was likely added for convenience rather than abuse.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
In no-login mode the browser is launched with '--disable-web-security' and disabled site isolation features, which weakens normal browser protections while loading attacker-controlled remote content. Because this skill visits arbitrary URLs supplied by the user, these flags enlarge the blast radius of malicious pages and are not necessary for ordinary article retrieval.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation promotes bulk downloading of articles and images to local storage without any warning about privacy, copyright, retention, or downstream handling of saved content. This can lead users to collect and persist third-party content at scale without understanding legal or data-protection implications, especially when output includes downloaded media and structured exports.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The Cookie-based mode describes using a pre-authenticated session to access content but does not warn about the sensitivity of session cookies or the privacy risks of authenticated scraping. If users mishandle stored browser state or cookies, an attacker or unintended process could reuse that session to access account-bound content or personal data.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The manifest explicitly advertises network fetching of WeChat articles, image downloading, and writing outputs in multiple formats to a local directory, but it does not warn the user that running the skill will access remote content and persist files on disk. This is dangerous because users may invoke it without understanding the privacy, bandwidth, storage, and content-safety implications, especially in automated agent contexts where filesystem writes and external requests should be disclosed clearly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal