Back to skill
Skillv1.0.0
ClawScan security
wx · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 9, 2026, 7:15 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's WeChat UI-automation purpose is coherent, but there are notable mismatches and privacy risks (OCR/screenshot behavior, clipboard access, and an undocumented OpenAI dependency) that warrant caution.
- Guidance
- This skill automates WeChat by simulating keystrokes, modifying your clipboard, and taking full-screen screenshots for OCR. Before installing: (1) verify the skill source — it has no homepage and an unknown publisher; (2) inspect the scripts yourself — they will run locally and manipulate clipboard/screen; (3) be cautious granting macOS Accessibility and Screen Recording rights (these let the script see and control other app content); (4) note wx_ocr_reply.py mentions OpenAI but no API key is declared — if you enable OCR-reply, confirm where recognized text or screenshots are sent and whether an API key will be required; (5) run tests with a dummy account/contact and avoid running on systems with sensitive on-screen data. If you want to proceed, consider restricting network access during testing or reviewing/locking down any code paths that would send screenshots or clipboard contents to external services.
Review Dimensions
- Purpose & Capability
- noteThe name/description (send WeChat messages / optional OCR-reply) match the included AppleScript and Python UI-automation code. The AppleScript and pyautogui approaches are appropriate for this purpose. However, SKILL.md and wx_ocr_reply.py reference using an OpenAI API for automated replies while the skill declares no required credentials — that mismatch is unexplained.
- Instruction Scope
- concernRuntime instructions and scripts simulate UI, modify the clipboard, and capture full-screen screenshots (/tmp/wechat_screenshot.png) for OCR. Screenshot + OCR can capture sensitive data beyond WeChat. The AppleScript sets the clipboard (reads/writes user clipboard) and the Python OCR code runs an inline Python snippet invoking Vision and AppKit. The OCR script prints recognized text and contains a TODO to call an LLM; instructions are open-ended about where replies are generated or sent.
- Install Mechanism
- noteThere is no install spec (instruction-only), which limits on-disk installs to the provided scripts. The scripts require optional Python packages (pyautogui) and macOS permissions. No remote downloads or installers are used, so install risk is limited, but the presence of executable scripts means the agent will execute local code if invoked.
- Credentials
- concernDeclared requirements list no environment variables or credentials, yet the SKILL.md and wx_ocr_reply.py refer to configuring an OpenAI API for automated replies. That credential is neither declared nor constrained here. The skill will also interact with system clipboard and create screenshots, which are sensitive but not declared as a permission requirement. Overall, the requested/declared env access is under-specified and could hide remote API usage.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated persistent privileges. It does require macOS Accessibility (osascript/terminal) and screen capture permissions at runtime to function, which is normal for UI automation but grants access to interact with other apps and see screen contents.