ClawHub

微信公众号文章自动发布助手

Security checks across malware telemetry and agentic risk

Overview

This skill coherently automates WeChat article drafting, cover generation, draft creation, and optional publishing, but it handles real credentials and external network calls that users should control carefully.

Install only if you are comfortable giving it WeChat Official Account credentials and image-generation API credentials. Use dry-run and preview outputs before creating drafts or publishing, avoid feeding untrusted or internal URLs, and consider running it in a locked dependency environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tainted flow: 'results' from requests.get (line 115, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
results = result.get("output", {}).get("results") or []
            if not results or not results[0].get("url"):
                raise CoverGenerationError("通义千问任务成功但未返回图片 URL")
            image_response = requests.get(results[0]["url"], timeout=120)
            image_response.raise_for_status()
            return image_response.content
        if task_status in {"FAILED", "CANCELED"}:
Confidence
93% confidence
Finding
image_response = requests.get(results[0]["url"], timeout=120)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation clearly instructs use of shell commands, local file paths, file generation, network access to WeChat and image APIs, and publishing actions, yet no explicit permissions are declared. This creates a trust-boundary mismatch: a host or reviewer may underestimate what the skill can do, while the skill can read/write local content, call external services, and trigger publication workflows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill supports commands that directly publish to a live WeChat official account, but the documentation does not require a conspicuous warning or an explicit confirmation step before publication. In this context, accidental or premature publishing can cause public-facing reputational damage, misinformation release, or disclosure of unreviewed content to a real audience.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The skill asks users to configure sensitive credentials such as wechat.app_id and wechat.app_secret, but it provides no warning about secure storage, redaction, or avoiding exposure in logs, prompts, or generated artifacts. Because the skill also uses local files and automation, poor handling of these secrets could lead to credential leakage and unauthorized access to the associated public account APIs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code performs a server-side HTTP GET to any user-supplied URL with no allowlist, scheme/host validation, redirect restrictions, or private-address blocking. This creates an SSRF primitive that can be used to probe internal services, access cloud metadata endpoints, or make the agent reach unintended network locations; in this skill’s context, fetching arbitrary article URLs is a core feature, which increases exposure rather than reducing it.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal