ClawHub

Wemp Ops

Security checks across malware telemetry and agentic risk

Overview

This is a real WeChat operations skill, but it needs review because it bundles credentials and can affect public-account content, followers, comments, drafts, analytics, and other social platforms.

Install only after replacing or removing the bundled WeChat credentials and confirming which account it will control. Require explicit approval before draft upload, publication, comment replies, draft deletion, cross-platform posting, mass messaging, follower administration, or retaining drafts/analytics for style learning.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest says the skill is not for 小红书运营, yet the workflow later instructs generation and publishing of 小红书 content. This inconsistency can cause the agent to perform cross-platform posting outside the user's expected scope, increasing the chance of unintended publication and policy bypass through a mis-scoped skill.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is presented as limited to 微信公众号 operations, but it also includes creating and publishing X/Twitter content. That makes the skill more dangerous in context because external social posting is a higher-risk action than draft preparation, and users selecting a WeChat skill may not expect outbound posting to another platform.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This utility module exposes powerful account-management and outbound messaging functions including blacklisting users, mass messaging, template/custom message sending, menu changes, and QR code generation. In a skill intended for公众号运营, some publish/comment/data APIs are expected, but bundling broad follower-administration and outbound messaging primitives materially expands abuse potential if higher-level prompts or wrappers invoke them on untrusted user input.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that WeChat Official Account API credentials are required for publishing features but gives no warning that the skill may transmit content to external services or perform account-impacting actions. In a skill that can publish, manage comments, and access analytics, omission of these warnings can lead operators to supply high-privilege credentials without understanding the blast radius.

Vague Triggers

High
Confidence
95% confidence
Finding
The activation rules are extremely broad and state that even when the user does not mention公众号, common requests about writing, publishing, analytics, or comments should trigger this skill. In context, that is dangerous because this skill has file, network, publishing, and comment-management abilities, so overbroad routing can cause it to take over general writing tasks and reach connected accounts without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow instructs the agent to delete used handoff entries and possibly delete the handoff file entirely after consumption, without explicit user notice or confirmation. Silent deletion is risky because it destroys audit trail and source material that may be needed for review, rollback, or dispute resolution.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill writes intermediate findings to a temp file and later deletes that file without clear disclosure to the user. Even though the file is temporary, automatic creation and removal of analysis artifacts can surprise users and obscure what content was collected or transformed during the workflow.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill automatically updates a persistent publish-feedback file after draft creation by scraping historical article metrics, without making that persistence an explicit user-facing choice. This is dangerous because it silently expands the task from publishing into account analytics collection and file modification, creating unexpected retention of operational data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The style-learning workflow automatically records original drafts and final versions, including user-provided and edited content, without an explicit privacy or retention warning. In context, this creates a persistent corpus of potentially sensitive unpublished material and user writing preferences beyond what is necessary to complete the immediate article task.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When `--upload` is enabled, local image files referenced in Markdown are automatically transmitted to WeChat via `uploadArticleImage` with no explicit privacy warning, consent checkpoint, or allowlist on what may be uploaded. In an ops skill that handles publishing workflows, this increases the chance that sensitive local files or internal images are exfiltrated to an external platform during routine content processing.

Ssd 3

Medium
Confidence
95% confidence
Finding
This section establishes ongoing collection and retention of article drafts and final outputs for future model/style improvement. That is a real data-minimization risk because the stored content may include confidential business plans, unpublished campaigns, or personal editorial preferences unrelated to the user's immediate request.

Ssd 3

Medium
Confidence
90% confidence
Finding
Automatically extracting historical article metrics and persisting them in a feedback file creates a standing repository of account performance data. While relevant to optimization, it is still sensitive operational information, and collecting it by default increases privacy and business-intelligence exposure if the workspace is shared or later accessed by other tools.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal