ClawHub

Wechat Search Release

Security checks across malware telemetry and agentic risk

Overview

This is a user-directed WeChat article search helper with ordinary web-query privacy and dependency hygiene cautions, but no evidence of hidden access, persistence, destructive behavior, or exfiltration.

Install only if you are comfortable sending your search terms to the configured OpenClaw web search/fetch providers and related public search endpoints. Avoid putting secrets, internal project names, or regulated data into queries. If running the Python helper manually, prefer an isolated environment with pinned dependencies, and do not rely on the documented robots.txt, rate-limit, date-filter, or JSON-output claims unless you verify those behaviors in your OpenClaw tooling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Unvalidated Output Injection

High
Category
Output Handling
Content
search_url = f"https://weixin.sogou.com/weixin?type=2&query={query}"
            
            # Call OpenClaw's web_fetch tool
            result = subprocess.run([
                'openclaw', 'tool', 'web_fetch',
                '--url', search_url,
                '--extract-mode', 'markdown'
Confidence
90% confidence
Finding
subprocess.run([ 'openclaw', 'tool', 'web_fetch', '--url', search_url, '--extract-mode', 'markdown' ], capture_output

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Core dependencies
requests>=2.25.0
beautifulsoup4>=4.9.0

# Test dependencies
Confidence
95% confidence
Finding
requests>=2.25.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Core dependencies
requests>=2.25.0
beautifulsoup4>=4.9.0

# Test dependencies
pytest>=6.0.0
Confidence
92% confidence
Finding
beautifulsoup4>=4.9.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
beautifulsoup4>=4.9.0

# Test dependencies
pytest>=6.0.0
pytest-cov>=2.10.0
mock>=4.0.0
Confidence
88% confidence
Finding
pytest>=6.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Test dependencies
pytest>=6.0.0
pytest-cov>=2.10.0
mock>=4.0.0
Confidence
86% confidence
Finding
pytest-cov>=2.10.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Test dependencies
pytest>=6.0.0
pytest-cov>=2.10.0
mock>=4.0.0
Confidence
86% confidence
Finding
mock>=4.0.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
requests

Known Vulnerable Dependency: pytest — 1 advisory(ies): CVE-2025-71176 (pytest has vulnerable tmpdir handling)

Low
Category
Supply Chain
Confidence
84% confidence
Finding
pytest

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal