ClawHub

火一五企微

Security checks across malware telemetry and agentic risk

Overview

This WeCom messaging skill fits its stated purpose in part, but it exposes WeCom credentials and directs automatic shared storage of user identity details.

Review before installing. Only use this in an environment where you own the WeCom tenant, have rotated the exposed secret and webhook key, and have replaced hardcoded credentials with a secret manager. Remove or disable automatic profile collection, gender-based personalization, daily refreshes, and shared-memory storage unless there is clear user notice, consent, access control, and retention policy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (13)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill embeds live WeCom secrets, agent identifiers, and webhook material directly in documentation while also providing executable API invocation patterns. This turns a 'rules' skill into an operational exfiltration and messaging capability: anyone with access to the skill can impersonate the enterprise app, send messages, and access enterprise APIs.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill directs automatic collection of user name, userid, and gender and storage in shared memory, which exceeds the stated purpose of messaging standardization. Persisting identity attributes in a shared location increases the chance of unauthorized reuse, cross-user disclosure, and profiling without necessity.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill expands into recurring and conversation-triggered harvesting of user profile information, including daily refreshes and collection on any first interaction. This broadens the system from messaging assistance into ongoing surveillance-like collection, increasing privacy exposure and the blast radius of any compromise.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill mandates silent retrieval and shared persistence of user profile data without any disclosure, transparency, or consent mechanism. Hidden background collection is particularly risky because users and operators may not realize personal data is being gathered and retained across sessions.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
Automatically switching from direct enterprise messaging to temporary links changes the transmission method for files without warning. That can weaken user expectations about confidentiality, create untracked distribution channels, and expose files through less controlled sharing mechanisms.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill specifies ongoing automatic user information retrieval on new sessions, daily intervals, and first conversations without transparency. Continuous undisclosed collection materially increases privacy risk and normalizes background monitoring unrelated to immediate user requests.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The skill enforces gender-based salutations and even defaults to a gendered form when uncertain, which can misgender users and uses inferred personal attributes without user choice. This creates personalization and dignity risks and encourages unnecessary processing of sensitive demographic information.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
This section repeats the requirement to derive salutations from fetched gender data, reinforcing a workflow that personalizes speech based on inferred attributes without opt-in. Repetition in operational rules makes misuse more likely and harder for downstream agents to avoid.

Ssd 3

High
Confidence
98% confidence
Finding
The instructions require identity data to be automatically collected and written into shared memory across conversations, creating a durable cross-session profile store. Shared retention of personal data increases the risk of unauthorized access, accidental disclosure to other users, and function creep beyond the original task.

Ssd 3

High
Confidence
98% confidence
Finding
Automatic refresh and persistence of profile data for any conversation participant institutionalizes broad identity tracking. This materially increases exposure because the dataset stays current, covers more users, and can be repurposed for actions unrelated to the original conversation.

Ssd 3

High
Confidence
97% confidence
Finding
The skill normalizes using chat metadata to identify users and then storing those identities in public/shared memory accessible across users. That creates a cross-user data leakage risk and expands the trust boundary from a single conversation to a shared repository.

External Transmission

Medium
Category
Data Exfiltration
Content
TOKEN=$(curl -s "https://qyapi.weixin.qq.com/cgi-bin/gettoken?corpid=$CORP_ID&corpsecret=$SECRET" | jq -r '.access_token')

curl -s -X POST "https://qyapi.weixin.qq.com/cgi-bin/message/send?access_token=$TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "touser": "用户ID",
Confidence
97% confidence
Finding
curl -s -X POST "https://qyapi.weixin.qq.com/cgi-bin/message/send?access_token=$TOKEN" \ -H "Content-Type: application/json" \ -d '{ "touser": "用户ID", "agentid": 1000009, "msgtype": "t

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 获取Access Token
curl -s "https://qyapi.weixin.qq.com/cgi-bin/gettoken?corpid=$CORP_ID&corpsecret=$SECRET"

# 发送应用消息(私聊)
curl -s -X POST "https://qyapi.weixin.qq.com/cgi-bin/message/send?access_token=$TOKEN" \
Confidence
96% confidence
Finding
curl -s "https://qyapi.weixin.qq.com/cgi-bin/gettoken?corpid=$CORP_ID&corpsecret=$SECRET" # 发送应用消息(私聊) curl -s -X POST "https://qyapi.weixin.qq.com/cgi-bin/message/send?access_token=$TOKEN" \ -H "C

VirusTotal

No VirusTotal findings

View on VirusTotal