ClawHub
Back to skill

Security audit

WeChat Auto Reply (V26 Safe)

Security checks across malware telemetry and agentic risk

Overview

This WeChat auto-reply skill is understandable in purpose, but it needs careful review because it can expose private chats and control real messaging through an unauthenticated network dashboard.

Install only after review. Run it only on a trusted Mac, bind the dashboard to localhost or protect it with authentication, avoid using it for sensitive chats, use a limited API key, and clear stored screenshots/history regularly. The shell command construction, unauthenticated dashboard, and no-confirmation sending behavior should be fixed before unattended use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
persona = "回复要简短、干脆,不带句号,用词口语化,像哥们一样聊天,语气轻松。"
    
    # Kill any existing instances
    os.system("pkill -9 -f wechat-auto-reply/monitor_main.py")
    
    script_path = os.path.expanduser("~/.openclaw/workspace/skills/wechat-auto-reply/monitor_main.py")
    cmd = ["python3", script_path, "--targets", targets, "--persona", persona, "--interval", "60"]
Confidence
91% confidence
Finding
os.system("pkill -9 -f wechat-auto-reply/monitor_main.py")

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if apikey:
        env["GEMINI_API_KEY"] = apikey
    
    monitor_process = subprocess.Popen(cmd, env=env)
    return jsonify({"status": "started", "targets": targets})

@app.route('/api/stop', methods=['POST'])
Confidence
89% confidence
Finding
monitor_process = subprocess.Popen(cmd, env=env)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
@app.route('/api/stop', methods=['POST'])
def stop_daemon():
    global monitor_process
    os.system("pkill -9 -f wechat-auto-reply/monitor_main.py")
    if monitor_process:
        try:
            monitor_process.terminate()
Confidence
93% confidence
Finding
os.system("pkill -9 -f wechat-auto-reply/monitor_main.py")

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_cmd(cmd, timeout=120):
    try:
        return subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)
    except subprocess.TimeoutExpired:
        logger.error(f"Command timed out after {timeout}s: {cmd}")
        # Return a dummy completed process to avoid crashing the caller
Confidence
99% confidence
Finding
return subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_cmd(cmd, timeout=120):
    try:
        return subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)
    except subprocess.TimeoutExpired:
        logger.error(f"Command timed out after {timeout}s: {cmd}")
        class DummyProcess:
Confidence
99% confidence
Finding
return subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_cmd(cmd):
    try:
        res = subprocess.run(cmd, shell=True, capture_output=True, text=True, check=True)
        return res
    except subprocess.CalledProcessError as e:
        print(f"❌ Command failed: {cmd}\nError: {e.stderr}")
Confidence
98% confidence
Finding
res = subprocess.run(cmd, shell=True, capture_output=True, text=True, check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
logger = logging.getLogger(__name__)

def run_cmd(cmd):
    return subprocess.run(cmd, shell=True, capture_output=True, text=True)

def check_focus():
    res = run_cmd("osascript -e 'tell application \"System Events\" to get name of first application process whose frontmost is true'")
Confidence
98% confidence
Finding
return subprocess.run(cmd, shell=True, capture_output=True, text=True)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation makes an absolute safety claim ('100%' and 'absolutely will not cause account bans') for a tool that automates WeChat through UI simulation, polling, screen capture, and auto-replies. Absolute assurances about platform-enforcement outcomes are inherently unreliable and can mislead users into taking operational, privacy, or account-risk decisions they would otherwise avoid.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The dashboard includes HTTP-accessible process-management functionality to start and kill an external daemon, but there are no visible security controls around those operations. In a local-only admin tool this might be acceptable, but the app binds to 0.0.0.0, making the capability materially more dangerous if exposed on a network.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The history and image endpoints expose raw conversation logs and workspace files over HTTP without authentication. Given this skill handles WeChat conversations, the data is likely sensitive; exposing it unauthenticated can leak personal messages, screenshots, or other workspace artifacts to any reachable client.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The monitor has an embedded action path that can invoke an external location-sending helper based solely on LLM output matching a special token. That mixes passive monitoring with a privileged real-world action and lets model output or prompt manipulation trigger disclosure of location information without explicit human approval.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The prompt explicitly instructs the model not to send a URL for location requests and instead emit a structured action token, but the code converts that token into a navigation URL and sends it anyway. This undermines the declared safety boundary and can leak precise location or routing information contrary to the configured policy.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill asks for highly sensitive macOS permissions (Screen Recording and Accessibility) and a Gemini API key, while the described workflow continuously captures chat screenshots and sends content to external model tooling. Without explicit privacy, retention, and system-impact warnings, users may unknowingly expose private messages, contacts, and desktop content or grant broad device-control capabilities to the tool.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code stores raw screenshots and parsed conversation history under the user's home directory, creating a persistent local cache of sensitive chat content. If the machine, account, backups, or filesystem permissions are compromised, private messages and images can be recovered without the user's awareness.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill sends captured WeChat screenshots and full conversation context to external CLI tools (summarize and gemini), which may forward data to external services or other trust boundaries. This exposes highly sensitive private communications and images without any visible consent, notice, or data minimization.

Missing User Warnings

High
Confidence
97% confidence
Finding
The program can automatically send replies and trigger a location-sharing action in WeChat with no confirmation gate. Because the content is derived from OCR/model output and automation state, mistakes, prompt manipulation, or model hallucinations can cause unauthorized messages or sensitive location disclosures to be sent to real contacts.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill captures screenshots of the WeChat window and sends them to an external summarization tool for chat-history extraction without any visible consent, notice, or confirmation. This can expose private conversations, contact names, and potentially sensitive images or metadata to automated processing and external model services.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code automatically sends LLM-generated replies into a real WeChat conversation with no human review or confirmation. In context, this is especially risky because the model output is influenced by extracted chat content and persona prompts, so it can send misleading, harmful, privacy-violating, or socially engineered messages on the user's behalf.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script automatically pastes and sends a location message to a selected chat once invoked, without any final confirmation showing the exact recipient and message. In a UI-automation context, mistakes in focus, target selection, or invocation parameters can immediately disclose sensitive location information to the wrong person.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The script modifies the system clipboard and sends content into a chat automatically without an explicit confirmation step. In this skill context, that is more dangerous because UI focus can change and the clipboard is a cross-application shared resource, creating risk of unintended disclosure, accidental sends, or disruption of the user's clipboard contents.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal