ClawHub

Wechat Search

Security checks across malware telemetry and agentic risk

Overview

This is a WeChat article search skill whose network, API-key, and helper-tool use generally matches its stated purpose, though users should understand its external helper and credential handling.

Install only if you are comfortable with search terms being sent to external search/fetch providers and with a configured Tavily API key being used by a local helper process. Verify that the local Tavily helper skill and OpenClaw CLI are trusted, because this package delegates work to them and may pass inherited environment variables to the helper.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes capabilities that imply access to network, shell, environment, and filesystem state, but it does not declare permissions explicitly. This creates a permission-transparency gap: reviewers and runtime policy systems may underestimate what the skill can do, increasing the risk of unauthorized external requests, config-file access, or command execution if the implementation matches the documented behavior.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill copies the full process environment and, if missing, reads a Tavily API key from a local file, even though the task is only to perform WeChat article search. In a skill context, unnecessary access to ambient credentials expands the blast radius: a compromised downstream script or unexpected logging/error path could expose secrets unrelated to the user's request.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill executes an external program to perform search instead of staying within a narrower, declared capability surface. In an agent-skill environment, delegating to another script creates an extra trust boundary: that script may change behavior, access additional resources, or mishandle credentials passed via the environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
A sensitive API credential is loaded from disk and then supplied to a subprocess without any user-visible disclosure or strong containment. This is dangerous because secrets obtained from local configuration can be unintentionally exposed to a child process, abused by a modified helper script, or leaked via diagnostics, making the search skill a conduit for credential access.

Missing User Warnings

Medium
Confidence
66% confidence
Finding
The code forwards the full process environment to a subprocess while also explicitly adding TAVILY_API_KEY. If the called Node.js script, one of its dependencies, or a replaced file at that path is compromised, it gains access to all inherited secrets and environment context, expanding the blast radius beyond the single API key needed for search.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal