ClawHub

wecomdrive

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do the WeCom document work it advertises, but it can retain an authenticated enterprise browser session and local document artifacts without clear cleanup or re-approval controls.

Install only if you are comfortable giving the skill browser-based access to the target WeCom workspace. Use it on specific user-provided links, review generated files before upload, avoid highly sensitive documents unless local processing is acceptable, and delete the skill’s .state and .outputs directories when you want to clear saved sessions, QR screenshots, and reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The code enumerates page links and editable elements after login, which expands capability beyond the stated purpose of checking login state and capturing QR codes. In this skill context, the browser is authenticated to an enterprise WeCom/Drive session, so returning page structure and input targets can expose sensitive internal URLs, document entry points, and form fields that enable downstream data harvesting or unintended interaction.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly instructs operators to capture the live enterprise login QR code and send it to a user, but provides no warning that this QR code is a live authentication artifact tied to an active session. That creates phishing, account-takeover, and privacy risks if the image is mishandled, forwarded to the wrong person, stored insecurely, or reused outside the intended workflow; in this skill's context, preserving the same session makes the captured QR especially sensitive.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The manifest explicitly instructs the agent to export enterprise documents and spreadsheets, process them locally, generate reports, and upload results back to WeCom Drive, but it provides no disclosure, consent boundary, or data-handling constraints. This creates a real risk of unintended exfiltration, over-collection, or modification of sensitive enterprise data because the workflow normalizes moving corporate content off-platform and back again without warning or approval checks.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script writes workbook-derived content, including fields such as IP, device, network, session/video-related identifiers, into local HTML and DOCX files without any consent prompt, sensitivity warning, or output minimization. In the context of a WeCom Drive skill handling enterprise files, this increases the chance of unintentionally persisting sensitive operational data to disk where it may be synced, shared, or accessed by other local users/processes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script uses a persistent browser profile directory, which stores session cookies and other authentication state on disk without a clear warning or consent flow. In an enterprise document skill, those artifacts may allow reuse of authenticated access by other local processes or later runs, increasing the risk of account/session compromise on shared or insufficiently protected systems.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code captures and saves a login QR code image to disk, creating a sensitive authentication artifact without prominent warning or lifecycle controls. In this context, a QR image may be forwarded, retained, or accessed by other local users/processes, facilitating unauthorized login attempts or exposing enterprise authentication flow details.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal