ClawHub

weixin mp push 微信公众号图文生成与推送技能

Security checks across malware telemetry and agentic risk

Overview

This WeChat publishing skill mostly matches its stated purpose, but it should be reviewed because it stores account-linked configuration and exposes draft-clearing/publishing actions through a third-party API without strong safeguards.

Install only if you trust the pcloud.ac.cn service and are comfortable storing WeChat account configuration locally in config.json. Review the target AppID before every push, avoid sending confidential drafts unless third-party processing is acceptable, and do not invoke cleanupDrafts unless you explicitly intend to clear drafts for that account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The README documents a remote 'cleanupDrafts' action that extends beyond the skill's advertised generation-and-push workflow, increasing the effective privilege and destructive capability available to the agent. Even if legitimate, undocumented or under-disclosed account actions can be triggered against a user's connected公众号 and may lead to unintended deletion of draft content.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill documents a draft-box cleanup API that is outside the core stated purpose of generating and pushing content, and it is a destructive operation with no gating, confirmation, or justification. In an agent setting, this expands the skill's capability from content publishing to content deletion, increasing the risk of accidental or unauthorized destruction of existing drafts.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script treats HTTP 408/504 or any response containing 'timeout' as effectively successful by setting ok=true and telling users the background task succeeded, even though it has no cryptographic receipt, job ID verification, or follow-up status check. This can cause silent delivery failures, duplicate pushes, or inconsistent automation state because callers are explicitly discouraged from retrying despite not knowing whether the operation completed.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README tells the AI to save user-supplied公众号 configuration into config.json without warning that this stores sensitive account-linked data on disk. Local persistence of tokens, openId values, or account metadata can expose users to credential theft, unintended reuse across sessions, or leakage through logs, backups, or other skills with filesystem access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instructions tell the agent/user to write authorization-derived configuration into config.json on disk without warning that it may contain sensitive identifiers or tokens. Persisting such material in plaintext can expose account access to other local users, backups, logs, or subsequent tools that read the workspace.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs sending article content, image URLs, openId, and possibly appId to a remote API, but does not clearly warn the user that content and account-linked data will be transmitted off-host. In an agent workflow, users may assume local processing, so the missing disclosure undermines informed consent and increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documented cleanup operation is destructive but lacks a clear warning that it may remove existing draft content from the target public account. Without prominent confirmation requirements, an agent or user could trigger irreversible loss of unpublished material across accounts.

Ssd 3

Medium
Confidence
92% confidence
Finding
The workflow asks the user to copy generated account configuration and send it to the AI, creating a natural-language channel for transmitting sensitive identifiers and authorization material. This is dangerous because conversational channels may be logged, retained, or exposed to other tools, and the AI is then instructed to persist that data locally.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal