ClawHub

微信消息文件发送skill

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it can use your stored WeChat/OpenClaw login to send messages and upload specified local files without an in-script confirmation.

Install only if you trust the publisher and are comfortable letting the skill use your local OpenClaw WeChat session to send messages and upload named files. Before each use, verify the account_id, destination context, and exact file path, and avoid using it on sensitive files or shared machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The CLI help text and main-function description are misleading: they describe sending a message and returning JSON, while the script actually reads local account credentials and sends a file over the network. In an agent skill context, deceptive or inaccurate descriptions materially increase the chance of unintended sensitive actions because operators may approve execution without understanding that files and tokens are being used.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger description is broad and loosely defined, covering account queries, message sending, and file sending under overlapping natural-language conditions. In a messaging/file-transfer skill, ambiguous activation increases the risk of unintended outbound actions, especially sending messages or files when the user did not clearly intend external transmission.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The automatic file-send trigger conditions are ambiguous and can overlap with ordinary handling of non-text messages or attachments. Because this skill transmits local files to external WeChat/CDN services, unclear auto-trigger logic can cause accidental exfiltration of user files or generated artifacts without sufficiently explicit consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill lacks a clear warning that messages and local files may be transmitted to external WeChat and CDN infrastructure, potentially exposing sensitive content, metadata, and account-linked context. In a file-sending skill, omission of this privacy notice materially increases the chance that users share sensitive local data without understanding the transmission and retention implications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script uploads arbitrary local file contents to external Weixin/CDN endpoints with no explicit confirmation, preview, or user-facing disclosure at execution time. In an agent environment, this creates a real exfiltration risk because a caller can cause local files to be transmitted using existing account credentials, especially if the file path is sensitive or user intent is ambiguous.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code silently locates and reads local OpenClaw account files, including bot tokens and context data, without clear disclosure or consent. Accessing stored credentials behind the scenes is dangerous in an agent skill because it expands privilege and enables network actions on the user's behalf without transparent authentication handling.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal