ClawHub

微信公众号文章创作

Security checks across malware telemetry and agentic risk

Overview

The skill matches a WeChat content-automation purpose, but it can automatically send drafts to WeChat and use broad stored credentials without a clear per-run approval step.

Install only if you intend this skill to use local API keys, call external AI/image/search services, run companion WorkBuddy tools, and create WeChat drafts. Disable auto execution where possible, use --no-auto or --no-publish until you review outputs, isolate credentials to a task-specific .env, and avoid real browser profiles unless actively supervising the publish step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (20)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code builds a shell command string for execSync using a user-controlled URL, which creates a command-injection risk if shell metacharacters or quoting edge cases are introduced. In this skill context, the extractor is explicitly designed to process arbitrary external article URLs, so attacker influence over this parameter is expected and makes the issue more dangerous.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The loader automatically reads .env files from the user's home directories (.openclaw and .workbuddy) in addition to the skill root, which expands the skill's credential access beyond what is necessary for this file's stated purpose. In an agent setting, this creates unnecessary exposure of unrelated secrets to the skill runtime and can enable downstream components to use or leak credentials the user did not intend to grant.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script performs a global npm install at runtime (`npm install -g @wenyan-md/cli`) if the CLI is missing. Installing packages during normal execution expands the skill's authority beyond publishing, executes remote code from the package registry, and can modify the host environment persistently, which is risky in an agent context.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The browser publishing path invokes an external automation tool via shell command (`uvx browser-use ... open https://mp.weixin.qq.com/`). Although the URL is fixed and options are booleans, this still launches a powerful external tool that may access local browser profiles and authenticated sessions, increasing the blast radius if the tool or environment is compromised.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The function marketed as a formatting optimizer also conditionally publishes content to WeChat when a quality threshold is met. This is a real security-relevant behavior mismatch because processing local content unexpectedly escalates into external transmission using account credentials, which can cause unauthorized publication or data disclosure if the caller did not intend network side effects.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Loading WeChat credentials inside a content-optimization script broadens the trust boundary far beyond local text processing. Even though the code does not exfiltrate secrets directly, bundling credential resolution and publication capability into this tool increases the chance of unintended account actions and makes misuse more damaging in the skill context.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Importing child_process and using execSync to invoke an external publishing CLI gives this script command-execution capability unrelated to simple formatting. In this skill context, that is more dangerous because article paths and generated content are user-controlled inputs, and external command execution plus credentialed publishing creates a stronger side-effect surface than expected.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The comment and apparent API contract describe smart optimization, but the implementation also saves and may publish content. Misleading interface documentation is a security issue here because users and other developers may invoke the function assuming only local transformation, not destructive overwrite and remote submission.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code silently loads sensitive configuration and credentials from multiple locations, including a user-specified file and home-directory env files, without any notice, consent, or scoping. In a tool that may call external APIs, undisclosed secret ingestion increases the risk that users unknowingly authorize access to accounts or services outside the skill's expected scope.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The search workflow proceeds from discovery to rewrite, cover generation, formatting, and publication by default unless the user explicitly opts out with --no-auto. This creates external side effects against a real WeChat account without an affirmative confirmation step, making accidental publication of unreviewed or attacker-influenced content plausible.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The links command similarly defaults into a full rewrite/generate/publish pipeline with only an opt-out flag. Because input URLs can be user-supplied and content is fetched from external sites, automatic publication raises the risk of posting malicious, copyrighted, or simply incorrect material without review.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script rewrites the input Markdown file in place after normalizing content and modifying frontmatter, without confirmation or creating a copy. Silent mutation of user content can cause data integrity issues, unexpected loss of metadata, and makes the publishing action non-reversible, which is especially problematic for automation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The module sends full article content to third-party LLM endpoints (OpenAI-compatible and DashScope) without any visible consent, warning, redaction step, or policy gate. In a content-studio skill, articles may contain unpublished drafts, proprietary material, client data, or personal information, so silent transmission to external services creates a real confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document includes an end-to-end example that invokes `--publish` as part of an automated workflow without any warning, confirmation step, or discussion of irreversible external effects. In the context of a content-publishing skill, this increases the risk that an agent or user will unintentionally publish rewritten or scraped content to a public WeChat account, causing accidental disclosure, reputational harm, or policy/copyright issues.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script saves optimized content back to the input path by default, overwriting the original article without confirmation or backup. This can destroy source material or silently alter content in automated workflows, especially risky because optimization is based on broad regex replacements that may be lossy or incorrect.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script automatically invokes publication once a score threshold is reached, using resolved WeChat credentials, without a clear consent step at execution time. This is dangerous because content may be transmitted externally based on local heuristics rather than an explicit user decision, which can leak drafts or trigger unintended account activity.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The configuration enables automatic execution of the skill with no visible gating, confirmation, or scope restriction. In a skill that can search, scrape, rewrite, generate covers, and publish content, auto-execution increases the chance of unintended network activity or publishing actions being triggered without explicit user approval.

External Transmission

Medium
Category
Data Exfiltration
Content
| 微信 AppSecret | `WECHAT_APP_SECRET` | 发布必须 |
| 阿里云 DashScope | `DASHSCOPE_API_KEY` | 封面生成必须 |
| LLM API Key | `OPENAI_API_KEY` | AI 改写必须 |
| LLM Base URL | `OPENAI_BASE_URL` | 默认 `https://api.openai.com/v1` |
| LLM 模型名 | `OPENAI_MODEL` | 默认 `gpt-4o` |
| 联网搜索代理 | `HTTPS_PROXY` / `HTTP_PROXY` | 访问 Brave/GitHub 等;未设时默认 `http://127.0.0.1:7890` |
| Brave 请求间隔 | `BRAVE_SEARCH_MIN_INTERVAL_MS` | 两次 Brave 请求最小间隔(毫秒),默认 `3200`,遇 429 可调大 |
Confidence
89% confidence
Finding
https://api.openai.com/

Credential Access

High
Category
Privilege Escalation
Content
| 联网搜索代理 | `HTTPS_PROXY` / `HTTP_PROXY` | 访问 Brave/GitHub 等;未设时默认 `http://127.0.0.1:7890` |
| Brave 请求间隔 | `BRAVE_SEARCH_MIN_INTERVAL_MS` | 两次 Brave 请求最小间隔(毫秒),默认 `3200`,遇 429 可调大 |

**.env 查找顺序:**
1. `OPENCLAW_ENV_FILE`(若设置)
2. 技能根目录 `.env`
3. `~/.openclaw/.env`
Confidence
93% confidence
Finding
.env

Session Persistence

Medium
Category
Rogue Agent
Content
description: 微信公众号内容工作室 — 支持多来源权威搜索、多站点文章抓取、AI 改写、封面生成、智能排版发布的一站式工具
author: 模型猎人
version: 2.2.0
allowed-tools: Bash,Read,Write
---

# 微信公众号内容工作室 (WeChat Content Studio)
Confidence
78% confidence
Finding
Write --- # 微信公众号内容工作室 (WeChat Content Studio) 一站式公众号内容创作工具,支持**多来源权威搜索**(10 大分类 50+ 来源)和**多站点文章抓取**,自动合并、**AI 改写**、**封面生成**、**智能排版发布**。 默认产出根目录为 **`~/WorkBuddy/<技能文件夹名>/`**(与 `~/.workbuddy

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal