ClawHub

WeChat Lead Generation

Security checks across malware telemetry and agentic risk

Overview

This skill is built for WeChat lead scraping and marketing follow-up, and it stores identifiable chat-derived profiles and raw messages without clear retention, consent, or opt-out controls.

Only install this if you are comfortable with a tool that may process WeChat conversations, contacts, and lead profiles for marketing use. Treat it as requiring explicit consent and a privacy review before real WeChat data is connected; keep auto-reply off, avoid scheduled scraping, and delete or disable raw message/profile storage unless you have a clear lawful basis and retention plan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill describes capabilities that read WeChat data, write multiple artifacts, and use memory/networked components, but it declares no permissions. That mismatch weakens review and consent boundaries because a user or platform cannot accurately understand or constrain what the skill will access or persist. In a marketing/lead-generation context handling personal conversations, undeclared capabilities increase the chance of unauthorized collection and storage of sensitive data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
76% confidence
Finding
The documentation presents the skill as WeChat lead generation and automated reply tooling, but it also persists lead/profile data and raw outputs to local files and agentmemory, which materially expands its privacy and security impact. That behavioral mismatch can mislead operators about the true scope of data handling, causing them to enable a workflow that stores personal communications beyond what they expected.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill stores lead-derived personal data into long-term agent memory, extending retention and reuse beyond immediate report generation. Because the data comes from WeChat conversations and includes names, interests, scores, and message excerpts, this creates an unnecessary secondary datastore of sensitive personal information and increases privacy, compliance, and unauthorized reuse risk.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code writes raw messages, customer profiles, and high-score leads to local artifact files, effectively warehousing sensitive WeChat data rather than only producing a transient analysis result. Storing identifiable conversation content on disk increases the attack surface for local compromise, accidental exposure, or later misuse.

Missing User Warnings

High
Confidence
98% confidence
Finding
Sensitive WeChat message content, names, and derived profiles are written to disk without any evident consent flow, notice, or disclosure to the operator or affected users. In a lead-generation context, silently persisting conversation-derived personal data is especially risky because the data is directly tied to identifiable individuals and sales profiling.

Missing User Warnings

High
Confidence
97% confidence
Finding
The agentmemory integration persists conversation-derived lead information outside the generated report files, with no clear disclosure or user control in the workflow. This creates hidden long-term retention of personal data and can enable later profiling or cross-task reuse beyond the original purpose.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill explicitly promotes storing captured conversations and lead profiles in agent memory for long-term tracking, which encourages retention of private communications and personal data. In the context of a WeChat scraping/marketing skill, this materially increases privacy, compliance, and insider-exposure risk because sensitive user content may be retained beyond necessity and reused for profiling.

Ssd 3

Medium
Confidence
95% confidence
Finding
The documented output workflow includes profiles.json and raw_messages.json artifacts, meaning private messages and customer profiles are persisted in clear, easily exfiltrated files. Because this skill is designed to scrape social/chat content, these artifacts create a concrete data exposure path for sensitive communications, personal data, and inferred interests.

Ssd 3

High
Confidence
97% confidence
Finding
The skill explicitly instructs storing raw WeChat conversations and customer profiles in long-term memory for ongoing tracking and scoring. This creates a significant privacy and data-protection risk because personal messages, interests, and inferred intent may be retained beyond the original interaction and reused for profiling or outreach without clear consent, minimization, or retention controls.

Ssd 3

High
Confidence
96% confidence
Finding
The output specification includes artifacts containing customer profiles and other captured data, which increases the risk of accidental exposure, exfiltration, or secondary use. In this context, the skill is operating on private communications and inferred marketing profiles, so exporting such data to files materially broadens the attack surface and privacy impact.

Ssd 3

High
Confidence
98% confidence
Finding
Defining a dedicated raw_messages.json artifact creates a direct plain-text exposure path for captured WeChat conversations. Because these messages may contain personal, confidential, or regulated information, persisting them as a local artifact substantially increases harm from compromise, mishandling, or unauthorized sharing.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill generates reports and artifacts that include user names and plain-language excerpts of private conversation content, creating a persistent lead-tracking dataset of identifiable communications. In this marketing automation context, that makes the behavior more dangerous because the system is explicitly profiling individuals for outreach and storing the resulting dossier.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal