ClawHub

WeChat朋友圈营销

Security checks across malware telemetry and agentic risk

Overview

This WeChat marketing skill is mostly purpose-aligned, but it asks the agent to expose an unauthenticated callback server and store inbound request data with weak controls.

Review before installing. Use this only if you are comfortable sending campaign details to KIE.ai or Seedream/Volcengine and temporarily exposing a callback endpoint. Prefer disabling the public tunnel unless required, use dedicated API keys, avoid sensitive personal data in prompts, bind callbacks to localhost when possible, and delete callback logs and saved QR settings after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no permissions while instructing use of shell commands, local file reads/writes, environment-dependent scripts, network access, and a locally exposed callback server. This creates a hidden privilege surface: users and platforms cannot accurately assess what the skill can do, and the undeclared capabilities materially increase the risk of data exposure, unintended execution, and abuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
Although described as a marketing-copy/image skill, it also directs the agent to run an HTTP callback server, accept arbitrary POST data, invoke external APIs with stored credentials, and download files from returned URLs. That mismatch is dangerous because it hides a much broader attack surface than users would reasonably expect, including local service exposure, credential use, and untrusted content ingestion.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file implements a standalone inbound HTTP server that accepts arbitrary POST requests and persists their contents to disk, which is unrelated to the stated WeChat marketing-content generation purpose. That mismatch is dangerous because it introduces an unnecessary network-facing data collection surface that could be used to capture sensitive callback data, receive untrusted input, or support covert data staging inside the skill environment.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Hosting an inbound callback listener is an unjustified capability for a content-generation skill and materially increases attack surface by exposing a service on 0.0.0.0:8787. Any reachable party can send arbitrary requests to it, causing unsolicited data ingestion and persistent storage, which is especially concerning given the lack of authentication, authorization, or request filtering.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script accepts an arbitrary callback URL from command-line input and forwards it to the external API, enabling task results to be delivered to attacker-controlled destinations. In an agent context, this broadens data flow beyond the stated purpose of generating WeChat content and can be abused for unauthorized exfiltration of prompts, generated outputs, metadata, or job status to untrusted endpoints.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The helper polls callback files, extracts a result URL from untrusted task metadata, and downloads it to an arbitrary output path without validating scheme, host, or content. That creates an SSRF-style arbitrary fetch capability and local file write behavior that is unrelated to a WeChat marketing-copy skill, making the feature especially suspicious in this context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill collects sales contact details and QR settings, then states they are stored locally for later automatic reuse, without clearly warning the user about persistence. This is dangerous because personally identifiable or business-sensitive contact data may be retained unexpectedly, increasing the chance of unauthorized reuse, leakage, or cross-session exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill sends user-provided content to external image-generation services but does not warn users that their prompts, contact text, or embedded business details may leave the local environment. This creates a privacy and data-governance risk, especially if prompts include names, phone numbers, pricing, or QR-related assets.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The handler stores full request headers and body to disk, which can capture secrets, tokens, cookies, personal data, or internal metadata from any sender. Persisting this data without minimization, redaction, retention limits, or disclosure creates a clear privacy and secret-handling risk and makes later compromise of the host more damaging.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs collection and persistent storage of user-supplied contact information and QR-code settings for later automatic reuse. Persisting this data across runs increases privacy risk, enables accidental disclosure in future outputs, and can cause one user's data to bleed into another task if storage is not carefully isolated.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal