ClawHub

jeffli-content-factory

Security checks across malware telemetry and agentic risk

Overview

This skill is a WeChat content workflow, but it includes automatic account publishing, exposed credential examples, and proxy/account-management code that users should review carefully before installing.

Install only if you intentionally want an agent to use your search, GLM, and WeChat Official Account credentials and to send generated content/media to WeChat. Before use, remove or rotate the hardcoded/example-looking WeChat secrets, avoid printing keys, disable automatic publishing unless you add an explicit approval step, and do not configure WECHAT_PROXY_URL to any endpoint you do not fully control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (31)

Tainted flow: 'image_url' from requests.post (line 126, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
"""
        try:
            print(f"📥 Downloading image to: {output_path}")
            response = requests.get(image_url, timeout=30)
            response.raise_for_status()

            # Create output directory if needed
Confidence
94% confidence
Finding
response = requests.get(image_url, timeout=30)

Tainted flow: 'TOKEN_URL' from os.environ.get (line 96, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
}

        try:
            response = requests.get(TOKEN_URL, params=params, headers=self._proxy_headers, timeout=10)
            response.raise_for_status()
            data = response.json()
Confidence
94% confidence
Finding
response = requests.get(TOKEN_URL, params=params, headers=self._proxy_headers, timeout=10)

Tainted flow: 'url' from os.environ.get (line 552, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
json_data = json.dumps(payload, ensure_ascii=False).encode('utf-8')
            headers = {'Content-Type': 'application/json; charset=utf-8'}
            headers.update(self._proxy_headers)
            response = requests.post(url, data=json_data, headers=headers, timeout=30)
            response.raise_for_status()
            data = response.json()
Confidence
90% confidence
Finding
response = requests.post(url, data=json_data, headers=headers, timeout=30)

Tainted flow: 'url' from os.environ.get (line 552, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
}

        try:
            response = requests.post(url, json=payload, headers=self._proxy_headers, timeout=30)
            response.raise_for_status()
            data = response.json()
Confidence
89% confidence
Finding
response = requests.post(url, json=payload, headers=self._proxy_headers, timeout=30)

Tainted flow: 'url' from os.environ.get (line 552, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
try:
            with open(image_path, 'rb') as f:
                files = {'media': (image_path.name, f, 'image/png')}
                response = requests.post(url, files=files, headers=self._proxy_headers, timeout=60)
                response.raise_for_status()
                data = response.json()
Confidence
90% confidence
Finding
response = requests.post(url, files=files, headers=self._proxy_headers, timeout=60)

Tainted flow: 'url' from os.environ.get (line 552, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
try:
            with open(image_path, 'rb') as f:
                files = {'media': (image_path.name, f, 'image/png')}
                response = requests.post(url, files=files, headers=self._proxy_headers, timeout=60)
                response.raise_for_status()
                data = response.json()
Confidence
90% confidence
Finding
response = requests.post(url, files=files, headers=self._proxy_headers, timeout=60)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation includes real-looking API keys and WeChat credentials while simultaneously advising against hardcoding secrets. Even if presented as examples, publishing credential-shaped values in docs can expose actual secrets or normalize unsafe copying into code, logs, or screenshots.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The deprecated `wechat_config.py` example still embeds live-looking WeChat credentials in source-form code. Deprecated examples are often copied verbatim, so this can directly lead to secret exposure and insecure hardcoding practices.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
Auto-publishing to a WeChat Official Account is a significant external side effect not disclosed by the skill's stated purpose of article creation/output. This increases the risk of unintended publication, data leakage, reputational harm, and misuse of linked third-party accounts.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill instructs direct reading of local credential files and even printing API keys as part of tool verification. That is a clear secret-handling flaw: content-generation functionality does not require revealing raw credentials, and exposing them to logs or chat output can lead to immediate credential compromise.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Persisting full research context and source URLs into shared memory across sessions introduces unnecessary retention beyond the stated purpose of article generation. Cross-session storage can expose user prompts, research direction, and collected materials to later sessions or unrelated workflows.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The script embeds WeChat account credentials and performs account-level operations such as token retrieval and permanent media upload, which goes beyond simple local cover generation. In the context of a content-generation skill, bundling live platform credentials enables unauthorized use of the publisher account if the code or generated config is exposed.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script rewrites wechat_config.py with a media ID plus the WeChat credentials, persisting secrets into a local Python file. This increases secret exposure through source control, logs, backups, or accidental sharing, and it extends the skill from content creation into credential persistence and account configuration.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Hardcoded WeChat credentials coupled with immediate remote API use create a direct path for account abuse by anyone who can read the repository or artifact. Because the skill's stated purpose is article creation, not privileged account administration, this behavior is unjustified and expands the blast radius well beyond local content processing.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script prints the first part of the GLM_API_KEY to the console, which unnecessarily discloses secret material during testing. Partial secret exposure can aid credential correlation, leak into logs, screenshots, CI output, or terminal history, and is not needed to verify that the key exists.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This file loads live WeChat Official Account credentials from a local secret store and exposes them as module-level variables for downstream use. In the context of a skill described primarily as article generation, silently wiring in publishing credentials expands capability into authenticated account access and publication, which increases the risk of unauthorized posting or misuse if other parts of the skill invoke these values.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The function supports publication-capable WeChat operations such as draft creation and freepublish submission, which go beyond a narrowly described article-generation workflow and materially expand the skill's authority. Even if intended for legitimate publishing, embedding this capability in the skill increases the blast radius: any caller with the proxy token can trigger live publication-side actions through the whitelisted SCF egress path.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This code implements a credential-gated network proxy that forwards caller-supplied requests to privileged WeChat API endpoints from a fixed whitelisted IP. That creates a reusable capability for sensitive account operations outside the stated content-creation purpose, and if the shared token is leaked or reused insecurely, an attacker can perform publishing and media actions through the trusted proxy.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file implements a standalone WeChat API proxy server and its own deployment/usage flow, which is materially outside the declared article-generation purpose of the skill. Even if intended for operational convenience, adding an internet-reachable proxy broadens the attack surface and can be abused to relay privileged WeChat API operations through a whitelisted VPS IP.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The server listens on 0.0.0.0 and exposes an internet-facing HTTP proxy service, making privileged WeChat API access available to anyone who can reach the host and present the token. In the context of a content-generation skill, this infrastructure component is unnecessary and increases the risk of unauthorized use, brute forcing, token leakage, and operational misuse.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document shows secrets in examples and sample output without a strong warning against exposing them in terminals, logs, screenshots, or CI output. In a skill that manages publishing credentials, this increases the risk of accidental disclosure during setup and troubleshooting.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill stores prompts, candidate topics, outlines, and URLs in persistent shared memory without clearly warning the user. This is dangerous because seemingly harmless research requests may contain confidential business plans, campaign ideas, or unpublished content that then remains accessible across sessions.

Missing User Warnings

High
Confidence
98% confidence
Finding
Automatically sending generated content to a WeChat Official Account is an external disclosure action that should never be implicit. Without prominent up-front warning and explicit consent, the skill can publish drafts or sensitive content to an external platform and associated account unexpectedly.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The guide explicitly recommends supplying the API key via a command-line flag, which can expose the secret through shell history, process listings, CI logs, and terminal audit tools. In an agent or automation context, this is more dangerous because commands may be logged verbosely or surfaced to other tools and users, increasing the chance of credential leakage and downstream API abuse.

Missing User Warnings

High
Confidence
100% confidence
Finding
The APPID and APPSECRET are hardcoded directly in the source code, which is a classic secret-exposure flaw. If this file is shared, committed, or leaked, an attacker can obtain access tokens and interact with the associated WeChat Official Account API as that application.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal