ClawHub

wx

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to automate WeChat, but it can send messages and capture the full screen without strong review or scoping controls.

Install only if you are comfortable letting an agent control WeChat through local UI automation. Use it only for explicit, reviewed messages, avoid auto-reply workflows unless you add confirmation and recipient checks, and assume OCR may capture unrelated visible screen content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("\\\\n".join(results))
'''
    
    result = subprocess.run([sys.executable, "-c", py_script], capture_output=True, text=True)
    return result.stdout

def main():
Confidence
95% confidence
Finding
result = subprocess.run([sys.executable, "-c", py_script], capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documents executable shell-capable behavior via `osascript` and `python3`, but no permissions are declared to reflect that capability. This creates a transparency and policy gap: users or orchestrators may invoke code execution without explicit consent boundaries, increasing the risk of unintended automation against local applications and user data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The description claims OCR-based screenshot recognition and auto-reply behavior beyond the included script, which can mislead users and agents about what data the skill may capture and how it acts on that data. In messaging contexts, such mismatch is dangerous because screenshot/OCR features can expose sensitive conversations, and 'auto-reply' automation can send unintended messages without clear review controls.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The manifest advertises OCR screenshot recognition and auto-reply, while the documented code only activates WeChat, selects a contact, and optionally sends a provided message. This discrepancy undermines trust and safe policy enforcement, because systems may approve or route the skill based on inaccurate functionality claims, especially for privacy-sensitive messaging tasks.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The documentation implies automatic message handling, but in the no-message path the script merely prepares the chat and returns `Ready` without sending anything. This can cause unsafe operator assumptions in automated workflows, where upstream components may believe a reply occurred or may chain additional actions on an incorrect state, increasing the chance of mis-sends or privacy mistakes.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger scope is broad enough to activate on common requests to send or auto-reply to WeChat messages, without clear constraints on recipients, message sources, or confirmation requirements. In a messaging skill that drives UI automation, overbroad triggering raises the risk of unintended invocation, accidental contact selection, and unauthorized outbound communication.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes automated WeChat sending and OCR-based auto-reply without warning about privacy, clipboard leakage, screen-capture sensitivity, or unintended-message risks. Because the context is personal messaging, any OCR or automated send capability can expose private chat contents and transmit incorrect or unauthorized messages to real contacts, making the omission materially dangerous.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script captures the entire screen into a predictable temporary file and OCRs all visible content without any user-facing notice, consent step, or scope limitation. In the context of a WeChat automation skill, this can unintentionally collect unrelated sensitive data from other windows, notifications, or documents visible on screen.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends a WeChat message automatically by pasting arbitrary text and pressing Return, with no user-visible confirmation, preview, or approval step. In the context of a messaging automation skill, this increases the risk of misdelivery, unintended replies, or abuse by upstream callers to send messages the user did not explicitly verify before transmission.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The script overwrites the system clipboard with the contact name, and later with the message text, without notifying the user or restoring the previous clipboard contents. This can leak sensitive data into the clipboard history and disrupt user workflows, especially because clipboard contents may be synced, logged, or read by other applications.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script automatically opens WeChat, selects a contact, types arbitrary content, and sends it immediately without any confirmation or preview. In an agent-skill context, this can cause unintended or unauthorized outbound communications, including spam, social engineering, privacy leaks, or reputational harm if triggered with attacker-controlled inputs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal