ClawHub

content-factory

Security checks across malware telemetry and agentic risk

Overview

This skill can create WeChat articles, but it also has high-impact publishing and unsafe credential-handling behaviors that should be reviewed before installation.

Install only if you intend the agent to access your WeChat publishing credentials and create drafts/previews. Remove or rotate any credential-looking values, do not run commands that print API keys or dump .env files, use only a trusted HTTPS WeChat proxy you control, and require a manual review step before any WeChat draft or preview submission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (33)

Tainted flow: 'image_url' from requests.post (line 126, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
"""
        try:
            print(f"📥 Downloading image to: {output_path}")
            response = requests.get(image_url, timeout=30)
            response.raise_for_status()

            # Create output directory if needed
Confidence
88% confidence
Finding
response = requests.get(image_url, timeout=30)

Tainted flow: 'TOKEN_URL' from os.environ.get (line 96, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
}

        try:
            response = requests.get(TOKEN_URL, params=params, headers=self._proxy_headers, timeout=10)
            response.raise_for_status()
            data = response.json()
Confidence
95% confidence
Finding
response = requests.get(TOKEN_URL, params=params, headers=self._proxy_headers, timeout=10)

Tainted flow: 'url' from os.environ.get (line 552, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
json_data = json.dumps(payload, ensure_ascii=False).encode('utf-8')
            headers = {'Content-Type': 'application/json; charset=utf-8'}
            headers.update(self._proxy_headers)
            response = requests.post(url, data=json_data, headers=headers, timeout=30)
            response.raise_for_status()
            data = response.json()
Confidence
94% confidence
Finding
response = requests.post(url, data=json_data, headers=headers, timeout=30)

Tainted flow: 'url' from os.environ.get (line 552, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
}

        try:
            response = requests.post(url, json=payload, headers=self._proxy_headers, timeout=30)
            response.raise_for_status()
            data = response.json()
Confidence
93% confidence
Finding
response = requests.post(url, json=payload, headers=self._proxy_headers, timeout=30)

Tainted flow: 'url' from os.environ.get (line 552, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
try:
            with open(image_path, 'rb') as f:
                files = {'media': (image_path.name, f, 'image/png')}
                response = requests.post(url, files=files, headers=self._proxy_headers, timeout=60)
                response.raise_for_status()
                data = response.json()
Confidence
94% confidence
Finding
response = requests.post(url, files=files, headers=self._proxy_headers, timeout=60)

Tainted flow: 'url' from os.environ.get (line 552, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
try:
            with open(image_path, 'rb') as f:
                files = {'media': (image_path.name, f, 'image/png')}
                response = requests.post(url, files=files, headers=self._proxy_headers, timeout=60)
                response.raise_for_status()
                data = response.json()
Confidence
94% confidence
Finding
response = requests.post(url, files=files, headers=self._proxy_headers, timeout=60)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation embeds real-looking API keys and WeChat credentials directly in example configuration blocks, which can lead users to reuse exposed secrets or accidentally treat them as valid credentials. Even in docs, publishing secret-shaped values normalizes unsafe handling and may represent actual credential leakage if these values were ever real.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The file marks hardcoded credential storage as deprecated but still includes concrete hardcoded AppID and AppSecret values in the deprecated example. This is dangerous because readers may copy the insecure pattern, and if the values are genuine it directly discloses sensitive credentials.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
Automatic WeChat publishing and preview submission are external account operations that go beyond simple content generation. If triggered without a strong confirmation barrier, the skill can post or stage content to a real third-party account using stored credentials, creating reputational and operational risk.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill introduces cover-generation and infographic workflows that are not reflected in the top-level description. While less severe than account publishing, these extra actions still expand network, file-write, and third-party service usage beyond what a user would reasonably expect from an article-writing skill.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The tool verification steps instruct reading local credential files for Tavily and Brave API keys, even printing values as part of the check. Accessing secrets is unnecessary for ordinary article-writing intent and materially raises the risk of credential exposure or misuse.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The mandatory write to shared memory persists research context, URLs, and topic details across sessions. Persistence is not obviously required for the declared article-writing task and can retain user content longer than expected, increasing privacy and data-governance risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script hardcodes WeChat APPID and APPSECRET directly in source code, then uses them to obtain an access token for a live external account. Embedded secrets are easily exposed through source control, package distribution, logs, or local file access, enabling unauthorized use of the WeChat account and API abuse.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This script writes a new Python config file containing DEFAULT_COVER_MEDIA_ID as well as APPID and APPSECRET, expanding the persistence and exposure of credentials beyond runtime use. Persisting secrets to disk in plaintext increases the attack surface and creates a reusable artifact that may later be imported, copied, or committed unintentionally.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This file implements a deployable network proxy that forwards authenticated requests to WeChat APIs using the cloud function's whitelisted egress IP. Even though it is restricted to a fixed route map, it creates an infrastructure component that can be abused for unauthorized publishing or media operations if the shared token is exposed, and it expands the skill's operational attack surface beyond local content generation.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file implements a network-facing WeChat API proxy service, which is materially broader than a content-generation skill and introduces infrastructure that can relay authenticated API requests through a whitelisted VPS IP. Even though the target host is restricted to api.weixin.qq.com, this still creates a sensitive proxying capability that can be abused to perform account actions, token retrieval, and media operations if the proxy token is exposed or mishandled.

Description-Behavior Mismatch

High
Confidence
90% confidence
Finding
The skill metadata describes generating article content and outputting Markdown/HTML, but this script adds live WeChat publishing capability. That scope expansion is security-relevant because it introduces external transmission, credential handling, and account actions not implied by a content-generation tool.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script reads WeChat credentials from .env, environment variables, or a config module even though the stated skill purpose is article creation. In context, this makes the skill more dangerous because it can access account secrets and perform authenticated actions without that capability being clearly justified by the manifest.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation contains real-looking credential values without clearly stating they are nonfunctional examples, which increases the risk of accidental reuse and leaks. In security-sensitive setup docs, examples should never resemble live secrets closely enough to be mistaken for real credentials.

Missing User Warnings

High
Confidence
99% confidence
Finding
The instructions explicitly print API keys from local credential files to stdout during validation. Plaintext secret disclosure is dangerous because logs, transcripts, or downstream tools may capture and retain those keys, enabling unauthorized third-party API use.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill mandates persistent storage of research context and source URLs without a clear user warning that their content will be saved for cross-session retrieval. This weakens informed consent and may surprise users who expect transient processing only.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide explicitly recommends supplying the GLM API key via a command-line flag, which can expose the secret through shell history, process listings, terminal logging, and CI job output. In this skill context, the risk is real because the workflow is designed for repeated content-generation operations where users may copy-paste examples directly, increasing the likelihood of credential leakage.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script prints secret values loaded from the .env file to stdout, exposing either the full value for short secrets or the first 10 characters for longer ones. This can leak credentials into terminals, logs, CI output, screen recordings, or shared support transcripts, making credential compromise materially easier.

Missing User Warnings

High
Confidence
99% confidence
Finding
The APPID and APPSECRET are hardcoded and used without any warning to the operator that account credentials are embedded in the script and will be exercised against a real WeChat account. This is dangerous because users may unknowingly distribute or run the script while exposing privileged credentials tied to publishing capabilities.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script explicitly writes APPID and APPSECRET into wechat_config.py in plaintext, creating a durable secret disclosure on disk without prompting or warning the user. Any local compromise, backup exposure, repository commit, or packaging step can leak these credentials and enable unauthorized API access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal