ClawHub

Wechat Saver

Security checks across malware telemetry and agentic risk

Overview

This skill fetches user-provided WeChat articles and saves Markdown and images locally, which matches its stated purpose.

Install only if you are comfortable with the skill fetching WeChat pages and images and writing files into your Obsidian folder. Use a dedicated output directory first, consider --no-images if you do not want asset downloads, and watch for same-title articles because outputs can be overwritten.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs users to run a Python script that performs network access, downloads remote content and images, and writes Markdown and image files to local storage, yet the skill metadata declares no permissions. This mismatch is dangerous because users and hosting platforms may rely on declared permissions for trust and sandboxing decisions, causing underestimation of the skill's real capabilities.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill description says it saves WeChat articles to a local Obsidian vault, but it does not explicitly warn that execution will download remote images and write multiple files/directories to the local filesystem. This is risky because users may trigger it expecting a simple conversion step without realizing it performs persistent local writes and remote fetches, which could affect privacy, disk contents, and trust boundaries.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal