ClawHub

wechat mp push 微信公众号图文生成与推送技能

Security checks across malware telemetry and agentic risk

Overview

The skill mainly matches its WeChat draft-publishing purpose, but it also documents an under-scoped draft-clearing action that could delete account drafts without clear safeguards.

Install only if you trust the pcloud QR authorization wizard and API with your WeChat account identifiers and unpublished draft content. Keep config.json private, verify the target AppID before each push, and do not invoke cleanupDrafts unless you explicitly intend to clear drafts for that account and have confirmed what will be deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The README exposes a draft-box cleanup capability that expands the skill from content generation and pushing into destructive content management. Even if intended as maintenance, undocumented or weakly scoped deletion functionality increases the chance an agent may invoke it unexpectedly and erase user drafts or operational content.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
A deletion operation is not necessary for the stated purpose of generating and pushing drafts, so its inclusion violates least privilege and broadens the attack surface. In an agent setting, extra capabilities are risky because prompt ambiguity or malicious instruction chaining could trigger cleanup and cause data loss.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill metadata and main description frame the capability as content generation and draft pushing, but the document also includes a destructive draft-cleanup operation. This hidden capability increases the chance that an agent or user invokes data-destructive behavior without realizing the skill can delete existing drafts.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script treats timeout-like responses as successful by setting ok to true and emitting a message claiming the task already succeeded in the background, but it performs no server-side verification or idempotency check. In automation, this can suppress retries or error handling and cause silent message loss, duplicate sends, or false audit status when publication actually failed.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README instructs the AI to persist user-provided公众号 configuration into config.json without warning that the data may contain sensitive identifiers or authorization material. Storing such data locally without minimization, redaction, permission guidance, or lifecycle controls can expose account access through logs, filesystem leakage, or reuse by other tasks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions tell the AI to create or overwrite config.json directly, which modifies a local file containing live configuration without an explicit warning, confirmation, or backup step. In an agent setting, this can overwrite valid credentials or switch accounts unexpectedly, causing loss of working configuration or unauthorized use of a different account.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill sends article content, account identifiers, and authorization-linked data to a remote API, but does not require a clear user-facing privacy notice or consent step. This is dangerous because generated or user-supplied content may contain sensitive business data, and the transfer occurs to a third-party endpoint outside the local environment.

Missing User Warnings

High
Confidence
98% confidence
Finding
The clear-drafts feature is explicitly destructive and lacks any confirmation, safety interlock, scoping check, or dry-run behavior. In a multi-account workflow, an accidental or automated invocation could erase an entire draft box, causing operational disruption and loss of unpublished content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal