Back to skill

Security audit

WeixinClawBot Send

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it lets an agent send WeChat messages and selected attachments, using disclosed WeChat bot credentials.

Install only if you want your agent to have WeChat sending authority. Keep bot tokens and account files private, verify the recipient before sends, prefer --dry-run for uncertain messages, and do not allow the agent to send secrets, private reports, internal URLs, or sensitive files without explicit approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises and documents capabilities to read environment variables and communicate with an external network service, but it does not declare permissions or provide an explicit capability boundary. This creates a transparency and governance gap: an agent or platform may invoke a skill that can exfiltrate message contents, files, recipient identifiers, and bot credentials without users or policy systems having a clear permission model.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The function accepts arbitrary http/https URLs and fetches their contents server-side before sending them onward, which creates an SSRF-capable outbound request primitive. In an agent skill whose stated purpose is sending WeChat media, this materially expands capability to reach attacker-chosen destinations, probe internal services, or exfiltrate fetched data through WeChat without clear restriction.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code performs arbitrary outbound fetches that are not tightly aligned with the advertised capability of proactively sending WeChat messages. This unnecessary network reach increases attack surface because an attacker can supply remote URLs to make the agent retrieve unexpected content from external or internal endpoints.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly promotes proactive outbound WeChat messaging and sending files/URLs, but it does not warn that an agent may transmit private conversation content, reports, local files, or sensitive operational data to an external messaging channel. In a skill whose entire purpose is proactive notification, that omission materially increases the chance of unintended data exfiltration or privacy violations through over-broad automation or user misunderstanding.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README promotes proactive WeChat messaging, alerts, and scheduled reminders but does not clearly warn users that message contents, recipient identifiers, files, and timing data will be transmitted to external WeChat/OpenClaw services. In an agent context, this increases the chance that users enable autonomous notifications that expose sensitive operational or personal data without informed consent or guardrails.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The installation and usage examples explicitly encourage autonomous, agent-driven notifications such as CI alerts, anomaly reporting, and scheduled reminders, yet provide no warning about the operational risks of unsupervised outbound messaging. In practice, an agent could be configured to send noisy, sensitive, or misaddressed alerts to WeChat recipients, causing data leakage, spam, or social engineering opportunities.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This skill is specifically designed for proactive outbound messaging to WeChat, including text, files, and explicit recipient IDs, yet the documentation does not clearly warn that invoking it transmits user-provided content and identifiers to an external service. In an agent setting, that omission raises the risk of accidental data leakage, unintended notifications, or sending sensitive files to the wrong party.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation exposes use of `WXCLAW_TOKEN` and account credential files but does not warn that these are sensitive secrets that grant messaging authority. If mishandled in logs, prompts, shell history, or shared environments, an attacker could reuse the token to send unauthorized messages or impersonate the bot.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.