ClawHub

lh-wechat-to-markdown

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed WeChat article archiving tool, with the main caution that optional image downloading can reuse browser cookies and Referer data and the saved output may contain logged-in content.

Install dependencies in a virtual environment, use a dedicated low-privilege browser session for WeChat, and be cautious with `--download-images` because it may send Referer and domain-matching cookies while fetching article images. Store the generated Markdown, HTML snapshots, and images privately if the article was login-gated or copyrighted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README explicitly documents reusing the browser session's Referer and Cookie values when downloading images, but it does not warn that these headers may contain authentication or tracking data tied to a logged-in WeChat session. In a scraping tool context, this can normalize propagation of sensitive session material to secondary requests and increase the chance of accidental credential leakage, unauthorized access continuation, or privacy exposure in logs and downstream tooling.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly states that enabling image download will reuse the browser session's Referer and Cookie for outbound image requests, but it does not present this as a clear privacy/security warning to the user. This can leak authenticated session context or other sensitive browsing state to third-party image hosts embedded in article content, especially since WeChat articles may include externally hosted resources.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal