ClawHub

Baoyu Post To Wechat

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its WeChat publishing purpose, but it can automatically send a WeChat login QR code to Telegram and operates on a live account with sensitive credentials.

Install only if you are comfortable letting the skill automate a live WeChat Official Account, upload selected local files and images to WeChat, create drafts, and store configuration locally. Do not set TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID unless you intentionally want WeChat login QR codes sent to that Telegram chat. Keep .baoyu-skills/.env and EXTEND.md out of shared folders and version control, use a test account first, and only use remote-api with an SSH host you trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes shell commands, reads environment/configuration, and performs network operations, yet the manifest declares no permissions. This creates a transparency and consent problem: an operator may approve or run the skill without understanding that it can access secrets, invoke local tooling, and send data off-host.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description understates several sensitive behaviors, including Telegram transmission of login QR codes, SSH tunneling to a remote host, browser automation beyond simple posting, and native clipboard/keystroke control. When a skill's declared purpose omits these capabilities, users cannot accurately assess the privacy and security impact before use.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This script provides a generic, cross-platform keystroke injection primitive that sends a real paste action to whatever application currently has focus, rather than being constrained to WeChat publishing flows. In an agent context, that capability can redirect clipboard contents into arbitrary apps or fields, causing unintended disclosure of sensitive data or unintended UI actions outside the declared skill scope.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
On macOS, the AppleScript path accepts an arbitrary application name, activates it, and injects Cmd+V via System Events. That lets the skill steer clipboard pastes into any app the user can access, which exceeds the stated WeChat-posting purpose and creates a path for misdelivery of secrets or unintended interaction with unrelated applications.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The markdown rendering path invokes an external toolchain via `spawnSync("npx", ["-y", "bun", ...])`, which expands the skill's trust boundary from simple API posting to executing locally installed or remotely fetched tooling. If the runtime environment, package resolution, or invoked script chain is compromised, this can lead to arbitrary code execution under the agent's privileges.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code captures the WeChat login QR code from the page and sends it to Telegram whenever TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID are set. A login QR is authentication material for the WeChat Official Account session, so transmitting it to a third-party service outside the stated skill purpose creates an undisclosed credential-exfiltration path.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The Telegram integration is unrelated to the core function of posting articles to WeChat and introduces an outbound data path for sensitive login state. Hidden or undocumented side-channel integrations increase attack surface and make it easier to leak credentials or operational metadata without operator awareness.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
These tests demonstrate support for remote SSH-style publishing configuration such as host, user, port, identity file, known_hosts, proxy jump, and host key checking. That capability materially exceeds the declared skill description of publishing to WeChat via API or Chrome CDP, increasing the attack surface and creating a covert remote-access channel if the underlying feature is abused.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The test fixture confirms the code accepts SSH-like remote host parameters unrelated to direct WeChat posting, including bastion host, identity file, known_hosts, and proxy jump. In this skill context, undocumented remote host access is more dangerous because a publishing skill should not silently gain generalized remote connectivity capabilities.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented workflow performs automated edits inside an external WeChat editor, including selecting placeholder text and sending Backspace keystrokes, but it does not warn that these actions can modify or delete content in a logged-in account. In a browser automation context, focus mistakes, stale page state, or user misunderstanding could cause unintended edits or publication actions in the wrong draft or account.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup flow instructs the agent to create EXTEND.md containing fields for WeChat App credentials and SSH connection details, but it does not warn users that this file may contain sensitive secrets or advise on safe storage permissions and repository exclusion. In this skill context, that is a real security issue because the documented save locations are project-local or user-global config paths that are commonly synced, backed up, or accidentally committed, increasing the chance of credential disclosure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to upload images and post content to a WeChat Official Account, but it does not clearly warn that content and media will be transmitted to an external third-party platform and may affect a real account by creating drafts or published materials. In an agent context, this omission is security-relevant because users may trigger account-affecting actions without understanding the privacy, compliance, or operational consequences.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The clipboard test actively clears and replaces the user's system clipboard with a generated image during a permission check, which is a real user-affecting side effect. While not credential theft or code execution, it can disrupt the user workflow and unexpectedly destroy clipboard contents without prior notice or consent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The Telegram send path is triggered automatically during login if environment variables are present, with no explicit warning or confirmation at the point of use. Because the transmitted data is a login QR that can enable account access, silent transmission materially increases the risk of credential misuse and unauthorized session establishment.

Credential Access

High
Category
Privilege Escalation
Content
| Issue | Fix |
|-------|-----|
| Missing API credentials | Follow guided setup in Step 2 |
| Access token error | Verify credentials valid and not expired |
| Not logged in (browser) | First run opens browser — scan QR to log in. Set `TELEGRAM_BOT_TOKEN` + `TELEGRAM_CHAT_ID` to receive the QR image via Telegram |
| Chrome not found | Set `WECHAT_BROWSER_CHROME_PATH` |
| Title/summary missing | Use auto-generation or provide manually |
Confidence
84% confidence
Finding
Access token

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal