ClawHub
Back to skill

Security audit

Wechat Workflow

Security checks across malware telemetry and agentic risk

Overview

The skill’s WeChat publishing workflow is mostly coherent, but its generic local secret helpers can expose broader workspace credentials than the WeChat task requires.

Install only if you are comfortable with a workflow that can read and write local WeChat credentials, create WeChat drafts, query Sogou, and globally install an npm CLI if missing. Use a dedicated WeChat credential entry, avoid storing unrelated secrets in the same secrets.json file, and do not run get.py/add.py in logged or shared terminals because they can print full secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def cmd_escape(s):
            return str(s).replace("^", "^^").replace("&", "^&").replace("%", "^%").replace("<", "^<").replace(">", "^>").replace("|", "^|").replace('"', '""')
        cmd_str = " ".join(f'"{cmd_escape(p)}"' for p in cmd_parts)
        result = subprocess.run(cmd_str, check=False, env=env, shell=True)
    else:
        # Unix: use list form without shell
        result = subprocess.run(cmd_parts, check=False, env=env)
Confidence
95% confidence
Finding
result = subprocess.run(cmd_str, check=False, env=env, shell=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if shutil.which("wenyan") is None:
        print(f"{RED}wenyan-cli 未安装,正在安装...{NC}")
        try:
            subprocess.run(["npm", "install", "-g", "@wenyan-md/cli"], check=True, capture_output=False)
            print(f"{GREEN}wenyan-cli 安装成功!{NC}")
        except (subprocess.CalledProcessError, FileNotFoundError):
            print(f"{RED}安装失败!请手动运行: npm install -g @wenyan-md/cli{NC}")
Confidence
86% confidence
Finding
subprocess.run(["npm", "install", "-g", "@wenyan-md/cli"], check=True, capture_output=False)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill describes capabilities that imply environment access, local file read/write, network use, and shell execution, but it does not declare corresponding permissions. This creates a transparency and consent gap: users or hosting frameworks may allow the skill to run without understanding that it can access credentials, modify local state, make outbound requests, and invoke installers or scripts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior goes beyond a simple publishing workflow by including local secret management, reading credentials from local files, and automatically installing an external npm package. These extra behaviors materially expand the trust boundary and attack surface, especially because auto-install executes third-party code from the network and secret-management scripts may expose or mishandle credentials.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
This script reads from a centralized workspace secrets store and exposes secret material on demand, but the file itself provides no access control, scoping, or audit boundary around who may invoke it. In the context of an automation skill, a generic secret-dumping helper increases the chance that unrelated workflow steps, logs, or users can retrieve credentials beyond what is necessary for the stated publishing task.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script reads a local secrets store and enumerates token-related fields to stdout. Even though values are masked, this still discloses the existence, names, structure, and partial contents of credentials, which can aid credential targeting and may expose short secrets almost fully.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Auto-installing a global package is broader behavior than simple article publishing and introduces persistent system modification. In an agent skill context, this is more dangerous because it changes the environment and trusts remote package sources at runtime.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script reads local credential stores and exports secrets into process environment variables for downstream use. While publishing to WeChat requires credentials, silently harvesting them from workspace files increases sensitive-data exposure and broadens access without explicit user acknowledgment.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases include very broad everyday requests such as writing, continuing, or expanding text, which can cause the skill to activate unintentionally in unrelated contexts. Accidental activation is risky here because the skill can perform networked publishing, credential access, file writes, and shell-driven workflows once invoked.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The one-sentence example uses a broad natural-language request that does not clearly separate drafting from publishing, making it easy for a user to trigger the full workflow accidentally. In this skill's context, accidental invocation could lead to external API calls, draft publication, credential use, and persistent state changes without a sufficiently explicit opt-in.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script writes secrets to disk and then prints all stored fields, including sensitive values, to stdout. This can expose credentials through terminal history, shell logging, CI logs, screen sharing, or other local monitoring, and the file itself remains a plaintext secret store if the host is compromised or backed up insecurely.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script prints secret values directly to stdout, including potentially entire secret objects when no field is specified. Stdout is commonly captured by terminals, shell history, CI logs, agent transcripts, or orchestration tooling, so this creates a straightforward path for credential disclosure.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script accesses a sensitive credential file silently, with no warning, confirmation, or disclosure to the user before reading it. In an agent skill context, hidden access to local secrets is risky because users may invoke the skill for content automation without expecting credential enumeration behavior.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code accesses secrets.json and TOOLS.md to retrieve WeChat credentials, then places them into environment variables without explicit warning or consent. In an automation skill, undisclosed credential handling is risky because users may not expect local secret files to be read and repurposed.

Credential Access

High
Category
Privilege Escalation
Content
| 文件 | 用途 |
|------|------|
| `~/.openclaw/workspace/secrets.json` | 存储微信公众号 AppID/AppSecret(可选,TOOLS.md 也支持) |
| `~/.openclaw/workspace/wechat-monitor.json` | 文章追踪状态数据 |

## 外部网络调用
Confidence
88% confidence
Finding
secrets.json

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.