ClawHub

wxgzh

Security checks across malware telemetry and agentic risk

Overview

This is a coherent WeChat Official Account draft-publishing helper, but it involves a third-party CLI and sensitive account credentials.

Install only if you intend to use wxgzh for a WeChat Official Account. Review the npm package before global installation, do not paste AppSecret into shared chats or logs, protect the local config file, and confirm the exact article, cover, account, and options before running any publish command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger condition is overly broad: 'when the user expresses intent to publish an article' can cause the skill to install software, check configuration, and initiate publication steps without a narrowly defined boundary or explicit confirmation. In an agent setting, broad triggers increase the chance of unintended execution on ambiguous requests, which is especially risky because this skill can perform networked actions and publish content to an external platform.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to provide AppID and AppSecret and notes that configuration is stored in a local file, but it does not clearly warn that these are sensitive credentials requiring secure handling. This can lead to secrets being exposed in shell history, logs, screenshots, shared terminals, or insecure local storage, enabling unauthorized access to the connected WeChat public account.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal