ClawHub
Back to skill

Security audit

ZM Markdown 转公众号格式工具

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly transparent about converting and uploading WeChat drafts, but its built-in AI-trace removal and aggressive humanizing workflows create a content-transparency concern.

Install only if you are comfortable giving this workflow access to WeChat draft credentials and using it for account-bound uploads. Treat draft/image-post creation as an explicit action, review generated or humanized text for truthful authorship and attribution, and avoid using the AI-trace removal or creator-style features to misrepresent who wrote the content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Ssd 2

Medium
Confidence
94% confidence
Finding
The skill explicitly advertises the ability to 'remove AI writing traces', which frames the tool as helping conceal AI authorship rather than merely improving prose quality. In a publishing workflow, this can enable policy evasion, deceptive content laundering, and reduced transparency about generated material, especially when paired with remote generation and draft-upload capabilities.

Ssd 2

Medium
Confidence
96% confidence
Finding
The repeated 'write', 'humanize', and aggressive humanization commands operationalize concealment by giving users direct workflows to rewrite AI-generated text into harder-to-detect forms. This increases risk beyond marketing language because the skill provides concrete execution paths for style mimicry and anti-detection rewriting in a content publication context.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal