ClawHub

Wx Echo

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it needs Review because it decrypts and continuously scans private WeChat messages, stores sensitive keys and message data, and can publish excerpts to Discord or Calendar.

Install only if you intentionally want an agent to use sudo to inspect WeChat process memory, decrypt local WeChat databases, store keys and messages locally, run recurring scans, and post selected chat-derived content to Discord or Apple Calendar. Keep all_keys.json, collector.db, decrypted databases, and config files private; avoid the sshpass and raw curl token fallbacks; restrict monitored chats before enabling cron; and review or remove the scheduled tasks if you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (23)

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The README explicitly instructs the agent to compile tooling, extract WeChat encryption keys from a live process, decrypt local chat databases, and register scheduled tasks. Even if framed as a personal-assistant feature, process-memory key extraction with sudo materially increases privilege and accesses sensitive protected data, creating a real security risk if misused or run on the wrong system.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The documentation emphasizes privacy and local processing, but the described implementation still requires sudo-based extraction of encryption keys from WeChat process memory. That combination is dangerous because it normalizes invasive credential/material extraction under a benign privacy narrative, which could cause users or agents to underappreciate the sensitivity of the operation.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
Saying the CLI 'only does data extraction' understates the documented capabilities, which include decryption and process-memory key extraction tools. This is a security-relevant misrepresentation because it can mislead users and agents into treating highly sensitive operations as ordinary parsing or export tasks.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill explicitly supports optional remote execution over SSH and includes password-based access via sshpass placeholders. That extends the skill's reach from local WeChat processing to remote command execution, increasing attack surface and creating risk of credential exposure, misuse of stored passwords, and unintended execution on another host.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The prompt explicitly instructs password-based SSH using sshpass and disables host key verification with StrictHostKeyChecking=no. That combination creates credential exposure and machine-in-the-middle risk, and it also grants the skill remote command execution on another host beyond simple calendar parsing.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The fallback instructs the agent to bypass the approved message tool and directly call Discord's API with bot credentials via curl. This expands capability from scoped forum posting to arbitrary raw API use and increases the chance of token misuse, data exfiltration, or unauthorized posting behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs falling back to raw curl with an Authorization header using $DISCORD_BOT_TOKEN from the environment. This bypasses the safer platform tool boundary, normalizes direct credential use inside prompts, and creates a path for token misuse or accidental leakage through logs, command history, error output, or prompt injection into the generated payload.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README tells the agent to clone the repo and then automatically perform compilation, key extraction, decryption, syncing, and scheduled task registration with little upfront emphasis on sensitivity or system impact. That is unsafe because it encourages automation of privileged, persistent, and privacy-invasive actions without clear informed consent at the point of initiation.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill is designed to decrypt WeChat data, extract content from private chats and groups, analyze it, and push derived results to Discord, but it does not present clear, prominent consent and privacy warnings proportionate to the sensitivity of the data. In context, this is more dangerous because the workflow handles private communications, uses extracted encryption keys, and transfers message-derived content to a third-party platform, creating substantial privacy and data-governance risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill is designed to scan private WeChat direct messages and work groups for schedule extraction, but it provides no explicit consent, notice, or privacy boundary. Because the source data is highly sensitive personal and workplace communication, silent bulk inspection materially increases privacy and compliance risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
The workflow creates Apple Calendar entries and posts message-derived schedule details to Discord without a clear warning that private conversation content will be disclosed to another system. Moving derived content across platforms increases exposure and can leak sensitive business or personal information to a broader audience than the original chat participants.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The prompt instructs use of a Discord bot token in a shell command without any warning about secret handling, logging, or shell history exposure. Embedding credential use in executable instructions increases the chance that tokens are leaked through agent traces, command logs, debugging output, or misuse of the exec tool.

Missing User Warnings

High
Confidence
98% confidence
Finding
The program extracts cryptographic keys from another process's memory and persists them to `all_keys.json` in plaintext. This creates a durable local secret dump that can be exfiltrated by other users, malware, backups, or forensic collection, materially increasing exposure of protected WeChat databases.

Missing User Warnings

High
Confidence
88% confidence
Finding
The tool derives another user's home directory via `SUDO_USER`, locates their WeChat data, and combines that with cross-process memory extraction of encryption material without explicit consent or safety gates. In a security-sensitive context, this facilitates credential/secret harvesting from a privileged execution path and increases the chance of misuse or accidental compromise.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script emits extracted private and work-group message content directly to stdout as formatted JSON. In agent or automation environments, stdout is commonly captured by logs, parent processes, pipelines, or monitoring systems, which can unintentionally disclose sensitive chat data far beyond the intended consumer.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script reads message contents from a local chat database and emits them verbatim as formatted JSON to stdout, including sender, timestamps, and up to 500 characters of content. In CLI and automation contexts, stdout is commonly redirected to logs, pipelines, or other processes, so this creates a real risk of unintended disclosure of sensitive group-chat data even if the script's purpose is legitimate.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script extracts private direct-message content from a local message database and prints it, along with open TODO data, directly to stdout. In agent or automation environments, stdout is often captured by logs, pipelines, orchestration layers, or other tools, so sensitive personal data may be exposed beyond the intended consumer.

Ssd 3

High
Confidence
99% confidence
Finding
The instructions explicitly direct publication of private chat excerpts, event details, and source contact identities from WeChat into Discord posts. In this context, the skill processes private and workplace communications, so reposting message content to a forum materially amplifies disclosure risk and could expose confidential, personal, or regulated information.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pycryptodome
zstandard
pyyaml
Confidence
98% confidence
Finding
pycryptodome

Unpinned Dependencies

Low
Category
Supply Chain
Content
pycryptodome
zstandard
pyyaml
Confidence
94% confidence
Finding
zstandard

Unpinned Dependencies

Low
Category
Supply Chain
Content
pycryptodome
zstandard
pyyaml
Confidence
99% confidence
Finding
pyyaml

Known Vulnerable Dependency: pycryptodome — 3 advisory(ies): CVE-2018-15560 (PyCryptodome integer overflow vulnerability); CVE-2023-52323 (PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption); CVE-2018-15560 (PyCryptodome before 3.6.6 has an integer overflow in the data_len variable in AE)

High
Category
Supply Chain
Confidence
92% confidence
Finding
pycryptodome

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
97% confidence
Finding
pyyaml

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal